Server-side Implementation

Generate JWT on Login

This code provides a basic implementation for a login resolver in a GraphQL server. However, it has a critical security flaw: it stores user passwords in plain text in the users array. Storing passwords in plain text is highly insecure and can lead to security breaches if the data is compromised.

const jwt = require('jsonwebtoken');

// Mock user data
const users = [
  { id: '1', username: 'john_doe', password: 'password', email: 'john@example.com' }
];

// Login resolver
const login = async (_, { username, password }) => {
  const user = users.find(u => u.username === username && u.password === password);
  if (!user) throw new Error('Invalid username or password');
  
  const token = jwt.sign({ userId: user.id }, 'secretKey', { expiresIn: '1h' });
  return { token, user };
};

Explanation: This JavaScript code defines a simple login resolver for a GraphQL schema. It uses a hardcoded array of user objects to find a user with the provided username and password. If the user is found, it generates a JWT (token) using the jsonwebtoken library, signing it with a secret key and setting an expiration time of 1 hour. Finally, it returns an object containing the token and the authenticated user. If the user is not found or the password is incorrect, it throws an error.

Authorization Middleware

This code defines a context function for Apollo Server that extracts and verifies a JWT from the request headers. It throws an AuthenticationError if the token is missing, invalid, or expired. The context function is then passed to the Apollo Server constructor to be used for authentication in GraphQL resolvers.

const { AuthenticationError } = require('apollo-server');
const jwt = require('jsonwebtoken');

const context = ({ req }) => {
  const token = req.headers.authorization || '';
  if (!token) throw new AuthenticationError('Authentication token missing');
  
  try {
    const decoded = jwt.verify(token, 'secretKey');
    return { userId: decoded.userId };
  } catch (error) {
    throw new AuthenticationError('Invalid or expired token');
  }
};

const server = new ApolloServer({
  typeDefs,
  resolvers,
  context
});

Explanation: This code sets up a context function for Apollo Server that extracts the JWT from the request headers, verifies it using the ‘jsonwebtoken’ library, and returns the decoded user ID if the token is valid. If the token is missing, invalid, or expired, it throws an AuthenticationError. The context function is then passed to the Apollo Server constructor, where it will be used to provide context to all GraphQL resolvers

Authentication and authorization are important aspects of building secure web applications by including those powered by GraphQL. JSON Web Tokens (JWT) provide a popular mechanism for implementing authentication and authorization in GraphQL applications.

In this article, we’ll explore the concepts of authentication and authorization with JWT in a GraphQL application by covering their implementation, and benefits.