Saving auth roles & scopes in Neo4j

I'm trying to figure out a good way to set up authentication and authorization on my GRANDstack setup.
I do not want to tie my roles/scope logic to firebase. What if I want to query all staff members from the client? It looks like I'd have to query firebase to get this info, but I only want to authenticate with it, and do everything else with neo4j.

Can you please critic my approach?

  1. Authenticate users through firebase, get firebase id token
  2. with apollo client's useMutation, do a MergeUser mutation with the firebase id token (assuming custom header)
  3. From Apollo server, verify firebase id token, get the user id, and query the neo4j DB
  4. after neo4j's result, sign a custom JWT with the user id, roles and scopes. Return user data + JWT to client
  5. Client updates cache with user data and JWT in localstorage
  6. apollo link detects localstorage token and sets headers.authorization

In addition, coming from Django, I like having permissions (scopes) attached to groups (roles).

So instead of using a enum Roles, I'll make it a type.

Schema:

Once I get my request authorization token, future queries will be a breeze with graphql-auth-directives.
The only difficulty is getting this MergeUser mutation working properly. Maybe I only need a @doAuthenticate custom
directive, maybe I need a custom resolver. Will start working on that.

If all you're trying to do is authorize the user via firebase or any other auth provider like Auth0. then you could probably keep the user permissions on the user object it's self and then include those in the your context with Apollo requests. That what you've got full control over your user roles/permissions, etc. At least that's my thought.

This is what I was describing. Except that we only query the user scope/roles once on authentication, then get these from the JWT instead of re-querying the user data for every single request.

Thanks for confirming that I'm going in the right direction!