Hi everyone
Following the solution proposed on this topic I had to move my JWT authentication system from the neo4j's auth plugin to a middleware
As I expected, using GraphQL-Shield requires authentication to be done in middleware rather than in auth plugin.
Moreover, one of the next things to do is to replace JWTs by server-stored session tokens that I will have to perform in middleware for the same reason.
So as the authentication is already performed in middleware, I saw no reason to keep the auth plugin, which would just perform the authentication a second time without need.
I commented the auth object plugin within new Neo4jGraphQL
const neo4jgraphql = new Neo4jGraphQL (
{
typeDefs,
resolvers,
driver: neo4jdriver,
plugins:
{
// TODO : replace default subscription plugin by custom redis plugin
subscriptions: new Neo4jGraphQLSubscriptionsSingleInstancePlugin(),
// auth: new Neo4jGraphQLAuthJWTPlugin(
// {
// secret: process.env.JWT_SESSION_KEY,
// globalAuthentication: false,
// }),
},
})
and in my middleware I set context.auth like this
try
{
const decode = jwt.verify(token, process.env.JWT_SESSION_KEY)
context.auth =
{
isAuthenticated: true,
roles: [],
jwt: decode,
}
console.log ("isAuthenticated / auth.jwt : " + JSON.stringify (context.auth, null, 4))
return true
}
catch (err)
{
console.log (err)
return new GraphQLError ("Unauthenticated", { extensions: { code: 'INVALID_TOKEN' } })
}
hoping to retrive it in my mutations and subscriptions.
The problem is that in my mutation i retrieve context.auth equals to
{
"isAuthenticated": false,
"roles": []
}
So I see two options :
- either there's an error in my code (like writing to a constant , or setting/accessing the content of an undefined object) but i see no error at all in my console, (and by the way context is not supposed to be either constant or undefined anyway)
- or neo4j's graphql driver sets context.auth no matter what it already contains.
So assuming this is the second option, is there any way to prevent context.auth being modified ?