View more context

 

sander_ha

Is there a way to have 2 seperate middleware setups for a graphql api? a webapp needs to use the API and use JWT with CSRF middleware disabled, while another webapp simply needs to use the CSRF token to use the api ( no login )

nightjarnz

Use a middleware to inject middleware? :>

nightjarnz

Yes, of course :P instead of delegate($next) do something more along the lines of ThatNewMiddleware($delegate, $next) or something. Might not be 'exact' in terms of 'correctness', but should still be doable I think.

Scopey

Middleware can read a request and choose to apply itself. They can both be configured middleware but can also both be picky about which request they actually validate.

sander_ha

Aha.. So I could check the request in middleware, and choose to apply CSRF middleware or not?

adrexia

JWT: Has anyone had to handle timing out logins after a period of inactivity?

gened

Are you using the refreshToken mutation to renew the token?

adrexia

Not currently - I’m still trying to get my head around this. How would we build that in normally? Does that mean we send refresh requests from the FE?

gened

Depends how you want to architect it really. Are you using Apollo to handle auth/graphql requests?

gened

You could poll the server to check if the token is valid (there is a valid query as well) If you are using apollo you could build middleware to handle the if the query fails due to auth then try a refresh of the token and then retry the query otherwise log the user out

gened

You could then expire the token on the server so the user can’t refresh after a certain peroid

gened

This is a great article explaining an ideal workflow - https://blog.hasura.io/best-practices-of-using-jwt-with-graphql/

Show 1 attachment(s)
Hasura Blog  
The Ultimate Guide to handling JWTs on frontend clients (GraphQL)

JWTs are becoming a popular way of handling auth. This post aims to demystify what a JWT is, discuss its pros/cons and cover best practices in implementing JWT on the client-side, keeping security in mind.

Hide attachment content
sander_ha

Hmm doesnt the refreshToken mutation work pretty well=?

adrexia

I built an endpoint to check if the token was still valid. Currently its called on route change, though I have some reservations about that

gened

The SS JWT module has a validateToken mutation

gened

Yeh not sure route change is the best option.. the way i do it is if a request returns unauthorised, i try to refresh the token.. if that fails i log them out. I do this by an apollo onError link

adrexia

In our case the endpoints aren’t protected, there is just slightly different information displayed if someone is logged in

gened

In that case not sure, i handle it via error handling and overriding the graphql Manager’s error handling

👍 (1)
gened

Found it a bit of a sore point in working with SS graphql tbh

gened

Depends how your want to architect it, middleware could work. Or via Exception handling. On handling of a certain Exception you could return an auth error

adrexia

I really wish this stuff came with an opinionated architecture

adrexia

but there seem to be a million ways to do the thing, and they all feel a bit like hacks

adrexia

Its strange that logout is such a … bolted on piece of functionality in a system used for auth.

gened

Yeah, silverstripe graphql is only in it’s infancy. So it doesn’t have much of an opinion i suppose. The docs suggest throwing an exception, but that is as far as it goes.. i suppose any more opinion is then telling the dev how to build their FE app. It might be good to look at what Apollo server or Graphcool do

adrexia

Oh, I meant jwt in general. The number of articles that are like “jwt doesn’t support logout, but here’s how you can ignore normal jwt rules and logout anyway”

gened

Well if the JWT isn’t there or it is invalid then you are logged out 🙂


Show less replies
adrexia

Is it normal for the JWT module to get confused when there is a CMS user logged in at the same time? For instance, logOut sometimes fails when a user is logged into the CMS with a different account.

adrexia

I guess its a bit of an edge case. It’d mostly catch devs and testers