UNPKG

@envelop/auth0

Version:

This plugin validates an JWT token created by [Auth0](https://auth0.com/), and injects the Auth0 user properties into your GraphQL context. With this plugin, you can implement authentication and authorization in a simple way.

github.com/n1ru4l/envelop

n1ru4l/envelop

94 lines (93 loc) 3.86 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
/* eslint-disable no-console */ /* eslint-disable dot-notation */ import jwtPkg from 'jsonwebtoken'; import * as JwksRsa from 'jwks-rsa'; import { handleMaybePromise } from '@whatwg-node/promise-helpers'; const { decode, verify } = jwtPkg; export class UnauthenticatedError extends Error { } export const useAuth0 = (options) => { const jkwsClient = new JwksRsa.JwksClient({ cache: true, rateLimit: true, jwksRequestsPerMinute: 5, jwksUri: `https://${options.domain}/.well-known/jwks.json`, ...options.jwksClientOptions, }); const contextField = options.extendContextField || '_auth0'; const tokenType = options.tokenType || 'Bearer'; const headerName = options.headerName || 'authorization'; const extractFn = options.extractTokenFn || ((ctx = {}) => { const req = ctx['req'] || ctx['request'] || {}; const headers = req.headers || ctx['headers'] || null; if (!headers) { console.warn(`useAuth0 plugin unable to locate your request or headers on the execution context. Please make sure to pass that, or provide custom "extractTokenFn" function.`); } else { let authHeader = null; if (headers[headerName] && typeof headers[headerName] === 'string') { authHeader = headers[headerName] || null; } else if (headers.get && headers.has && headers.has(headerName)) { authHeader = headers.get(headerName) || null; } if (authHeader === null) { return null; } const split = authHeader.split(' '); if (split.length !== 2) { throw new Error(`Invalid value provided for header "${headerName}"!`); } else { const [type, value] = split; if (type !== tokenType) { throw new Error(`Unsupported token type provided: "${type}"!`); } else { return value; } } } return null; }); const verifyToken = (token) => { const decodedToken = decode(token, { complete: true, ...options.jwtDecodeOptions }) || {}; if (decodedToken && decodedToken.header && decodedToken.header.kid) { return handleMaybePromise(() => jkwsClient.getSigningKey(decodedToken.header.kid), secret => { const signingKey = secret.getPublicKey(); const decoded = verify(token, signingKey, { algorithms: ['RS256'], audience: options.audience, issuer: `https://${options.domain}/`, ...options.jwtVerifyOptions, }); return decoded; }); } throw new Error(`Failed to decode authentication token!`); }; return { onContextBuilding({ context, extendContext }) { return handleMaybePromise(() => extractFn(context), token => { if (token) { return handleMaybePromise(() => verifyToken(token), decodedPayload => { extendContext({ [contextField]: decodedPayload, }); }); } else if (options.preventUnauthenticatedAccess) { throw new UnauthenticatedError(`Unauthenticated!`); } }, e => { if (options.onError) { options.onError(e); } else { throw e; } }); }, }; };