UNPKG

@graphql-yoga/plugin-jwt

Version:

jwt plugin for GraphQL Yoga.

github.com/dotansimha/graphql-yoga

dotansimha/graphql-yoga

96 lines (95 loc) 3.5 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
import { createGraphQLError } from 'graphql-yoga'; import jsonwebtoken from 'jsonwebtoken'; import { JwksClient } from 'jwks-rsa'; const { decode } = jsonwebtoken; export function useJWT(options) { if (!options.signingKey && !options.jwksUri) { throw new TypeError('You need to provide either a signingKey or a jwksUri'); } if (options.signingKey && options.jwksUri) { throw new TypeError('You need to provide either a signingKey or a jwksUri, not both'); } const { extendContextField = 'jwt', getToken = defaultGetToken } = options; const payloadByRequest = new WeakMap(); let jwksClient; if (options.jwksUri) { jwksClient = new JwksClient({ cache: true, rateLimit: true, jwksRequestsPerMinute: 5, jwksUri: options.jwksUri, }); } return { async onRequest({ request, serverContext, url }) { const token = await getToken({ request, serverContext, url }); if (token != null) { const signingKey = options.signingKey ?? (await fetchKey(jwksClient, token)); const verified = await verify(token, signingKey, options); if (!verified) { throw unauthorizedError(`Unauthenticated`); } payloadByRequest.set(request, verified); } }, onContextBuilding({ context, extendContext }) { if (context.request == null) { throw new Error('Request is not available on context! Make sure you use this plugin with GraphQL Yoga.'); } const payload = payloadByRequest.get(context.request); if (payload != null) { extendContext({ [extendContextField]: payload, }); } }, }; } function unauthorizedError(message, options) { return createGraphQLError(message, { extensions: { http: { status: 401, }, }, ...options, }); } function verify(token, signingKey, options) { return new Promise((resolve, reject) => { jsonwebtoken.verify(token, signingKey, { ...options, algorithms: options?.algorithms ?? ['RS256'] }, (err, result) => { if (err) { // Should we expose the error message? Perhaps only in development mode? reject(unauthorizedError('Failed to decode authentication token', { originalError: err, })); } else { resolve(result); } }); }); } async function fetchKey(jwksClient, token) { const decodedToken = decode(token, { complete: true }); if (decodedToken?.header?.kid == null) { throw unauthorizedError(`Failed to decode authentication token. Missing key id.`); } const secret = await jwksClient.getSigningKey(decodedToken.header.kid); const signingKey = secret?.getPublicKey(); if (!signingKey) { throw unauthorizedError(`Failed to decode authentication token. Unknown key id.`); } return signingKey; } const defaultGetToken = ({ request }) => { const header = request.headers.get('authorization'); if (!header) { return; } const [type, token] = header.split(' '); if (type !== 'Bearer') { throw unauthorizedError(`Unsupported token type provided: "${type}"`); } return token; };