• Docs
  • Pricing
  • Support
  • Blog
  • Login

›External Authentication

Intro

  • What's OneGraph?
  • How does it work?
  • Creating your first app
  • Making your first query
  • OneGraphiQL
  • Authentication & Security Overview
  • Custom Google Auth

On the frontend

  • Using with Apollo
  • Log in to services
  • Example with create-react-app

External Authentication

  • What are JWTs?
  • AuthGuardian
  • Securing your Apollo server
  • Securing your Hasura API
  • Securing your Netlify site
  • Securing your express.js app
  • Advanced JWT customization with webhooks

Subscriptions

  • Subscriptions
  • Webhook-based subscriptions
  • Websocket-based subscriptions
  • Salesforce subscriptions
  • GitHub subscriptions
  • Gmail Subscriptions

Advanced

  • Persisted Queries
  • Mailchimp Signup with Persisted Queries

Securing your node.js Express application with OneGraph JWTs

You can try this example in CodeSandbox or fork the GitHub repository

We can integrate OneGraph's JWTs in our express app with a single function thanks to the excellent express-jwt middleware available:

yarn add express-jwt express-jwt-permissions jwks-rsa
const jwt = require('express-jwt');
const jwksRsa = require('jwks-rsa');

const ONEGRAPH_APP_ID = process.env.ONEGRAPH_APP_ID;

const jwtMiddleware = (options) => {
  const {credentialsRequired, appId} = options;

  const secret =
    options.secret ||
    // By default, use the zero-config JWKs to verify
    jwksRsa.expressJwtSecret({
      cache: true,
      rateLimit: true,
      jwksRequestsPerMinute: 1,
      jwksUri: `https://serve.onegraph.com/app/${appId}/.well-known/jwks.json`,
    });

  return jwt({
    secret: secret,
    issuer: 'OneGraph',
    audience: `https://serve.onegraph.com/dashboard/app/${appId}`,
    userProperty: 'jwt',
    credentialsRequired: credentialsRequired,
  });
};

Now we make use of our middleware:

app.use(
  jwtMiddleware({
    appId: ONEGRAPH_APP_ID,
    credentialsRequired: false,
  }),
);

And guard any routes we want to protect:

const guard = require('express-jwt-permissions')({requestProperty: 'jwt'});
// Note that express-jwt-permissions expects a jwt with the minimum structure:
// {permissions: []}
// See https://github.com/MichielDeMey/express-jwt-permissions#error-handling for customization options
app.get('/restricted', guard.check(['admin']), function (req, res) {
  const reqJson = JSON.stringify(req.jwt, null, 2);
  res.write(reqJson); //write a response to the client
  res.end(); //end the response
});

Note that for any unguarded route, req.jwt may be null (in other words, users may be unauthenticated):

app.get('/', function (req, res) {
  // Since this route is unguarded, `req.jwt` may be null
  const jwt = req.jwt || {};

  const reqJson = JSON.stringify(jwt, null, 2);
  res.write(reqJson); //write a response to the client
  res.end(); //end the response
});

AuthGuardian support

AuthGuardian has excellent support for express-jwt-permissions. For any rule, simply Add to list at path (with path set to permissions).

Consider this scenario:

I want to restrict access to a route in my express server so that only members of my GitHub organization can access them.

We can configured AuthGuardian with th following rule: AuthGuardian rules for node.js express

And simply add a guard check for the admin permission on our restricted route:

app.get('/restricted', guard.check(['admin']), function (req, res) {
  // Only users who are logged in *and* members of the 'OneGraph' GitHub
  // organization can access this route
});

Check out the GitHub repository for the full code

← Securing your Netlify siteAdvanced JWT customization with webhooks →
Links
OneGraph Overview Example projectsOneGraphiQL Explorer
Support
Live chat on Spectrum> TwitterBlog
More
Terms of ServicePrivacy Policy
Copyright © 2021 OneGraph