This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.
- Neo4j
- Technical Discussions
- Drivers & Stacks
- Re: isAuthenticated directive ignored in Apollo Fe...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
isAuthenticated directive ignored in Apollo Federated Gateway schema
03-01-2021 08:30 AM
Hello everybody,
This morning I created this issue on GitHub regarding the Authentication directive being ignored for GraphQL Grand stack federated augmented schema called through the Gateway.
In short:
-
running the Apollo GraphQL Server directly with the augmented schema the @isAuthenticated directive works as expected
-
running the Apollo GraphQL Server with federated schema based on the augmented one and calling the API through the Gateway doesn't work and the @isAuthenticated directive is not respected (you can call the API without providing JWT into the Authorization header )
p.s same behaviour if you call the API directly and not via the Gateway
For more details and code examples please refer to the GitHub issue above.
Any general input on this and how to debug it is more than welcome.
Thank you
Bojanche S.
Labels:
- Labels:
-
GraphQL-and-GRANDstack
4 REPLIES 4
03-02-2021 11:23 AM
Here is a snipper I have. I need my API to be used always when authorised. So connection to database can be established only when there is a valid JWT
- Starting the Apollo server -Snippet
const server = new ApolloServer({
context: ({ req }) => {
if(req.headers['user-agent'].startsWith('auth0-logstream')) {
req.body.logs.forEach(log => {
// authLogger.log(log);
})
}
const realIp = req.headers['x-real-ip'];
// logger.info({query: req.body.query, variables: req.body.variables, clientIp: realIp});
/*
Order of operations - All must pass
1. Decode Session Token
2. Verify Session Token
3. Get Email of the user
*/
let sessionVerified = false;
if(req.headers.authorization === undefined || req.headers.authorization === null) {
// logger.error({'type':'unauthenticated', clientIp: realIp})
throw new AuthenticationError('Unauthorized, Must Authenticate to access this resource.');
}
const decodedToken = jwt_decode(req.headers.authorization.replace('Bearer ', ''));
const decoded = jwt.verify(req.headers.authorization.replace('Bearer ', ''), process.env.JWT_SECRET);
if(decoded) {
sessionVerified = true;
}
// Locate the email thingy from JWT
const email = decodedToken['https://authdomain.io/email'] ? decodedToken['https://authdomain.io/email'] : null;
if(email === null || email === undefined) {
throw new AuthenticationError("Oye mate, You're naughty.")
}
return {
driver,
// DB name on the server - using the email
neo4jDatabase: email.split('@')[1].replace('.', ''),
headers: req.headers,
token: req.headers.token,
cypherParams: {
variables: req.body.variables,
email
},
req
}
},
engine: {
reportSchema: true
},
schema: augmentedSchema,
introspection: true,
playground: false,
});
// Starting the server
server.listen(4000, '0.0.0.0')
.then(({ url }) => {
console.log(\`🚀 GraphQL API is ready at ${url}\`);
})
.catch(err => {
console.error('Failed to start server');
console.error('--Details--');
console.dir(err);
})%
- Schema: Here is a sample schema for a Node where user can read or delete only. These are permissions that come from JWT. I hope this helps.
type Bojanche @hasScope(scopes: ["Bojanche: Read", "Bojanche: Delete"]) {
id: ID @index
name: String! @index
}
03-02-2021 11:34 AM
In my case, I am using Auth0 and starting a GrandStack with Auth0 is quite easy. I think what you are missing is using the hasScope directives and hasRoles directives.
03-03-2021 12:34 AM
Hello @uday
Thanks for the reply.
As I mentioned @isAuthenticared is working fine in the standalone API created with the augmented schema.
The problem comes when I convert the same augmentedSchema to a federated one in order to be used through Apollo Federation Gateway.
const schema = buildFederatedSchema([augmentedSchema]);
At this point calling the service directly or through the gateway ignores the @isAuthenticared, despite that the request is valid and can have or not the proper JWT.
Kind Regards,
Bojanche S.
03-16-2021 04:47 AM
@bokjo I actually took time to learn about Apollo Gateway. I do not have an answer for you as I have no clue mate.
Did you read this on grandstack? Using Apollo Federation and Gateway With Neo4j | GRANDstack
Nodes 2022
NODES 2022, Neo4j Online Education Summit
All the sessions of the conference are now available online
Related Content
- Unknown function 'apoc.util.validatePredicate' in Drivers & Stacks
- Schema-wide @auth(rules: [{isAuthenticated: true}]) directive for all the types in the Schema in Drivers & Stacks
- [GraphQL error]: Message: There is no procedure with the name `apoc.util.validate` registered for this database instance in Neo4j Graph Platform
- Unknown Directive in Netlify Production using GRANDstack in Drivers & Stacks
- isAuthenticated directive ignored in Apollo Federated Gateway schema in Drivers & Stacks
