I'm trying to figure out a good way to set up authentication and authorization on my GRANDstack setup.
I do not want to tie my roles/scope logic to firebase. What if I want to query all staff members from the client? It looks like I'd have to query firebase to get this info, but I only want to authenticate with it, and do everything else with neo4j.
Can you please critic my approach?
- Authenticate users through firebase, get firebase id token
- with apollo client's useMutation, do a MergeUser mutation with the firebase id token (assuming custom header)
- From Apollo server, verify firebase id token, get the user id, and query the neo4j DB
- after neo4j's result, sign a custom JWT with the user id, roles and scopes. Return user data + JWT to client
- Client updates cache with user data and JWT in localstorage
- apollo link detects localstorage token and sets headers.authorization
In addition, coming from Django, I like having permissions (scopes) attached to groups (roles).
So instead of using a enum Roles, I'll make it a type.
Once I get my request authorization token, future queries will be a breeze with graphql-auth-directives.
The only difficulty is getting this MergeUser mutation working properly. Maybe I only need a
directive, maybe I need a custom resolver. Will start working on that.