Add auth options 🎉

[Bouncey]

Closes #37
Closes #83

[raisedadead]

Quick dumb query, how do I set a JWT for testing?

[ojongerius]

Nice one 🙇 I'll dedicated some time to review this evening.

[Bouncey]

My bad, it was late at night.

You can

Use one of my expired tokens:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik0wTTJOVU0yTWpaR1FqUkVRelV4TVRFME9VTTVOVGcwUmtFeE1rTTJOek5GUTBRelJUTkVOZyJ9.eyJuaWNrbmFtZSI6InN0dWFydCIsIm5hbWUiOiJzdHVhcnRAZnJlZWNvZGVjYW1wLm9yZyIsInBpY3R1cmUiOiJodHRwczovL3MuZ3JhdmF0YXIuY29tL2F2YXRhci85ZjhmY2YzY2MzN2QzYWY4NDg0NDg3OTk4OTBmZGRmZT9zPTQ4MCZyPXBnJmQ9aHR0cHMlM0ElMkYlMkZjZG4uYXV0aDAuY29tJTJGYXZhdGFycyUyRnN0LnBuZyIsInVwZGF0ZWRfYXQiOiIyMDE4LTA0LTIyVDEwOjA5OjEzLjkzN1oiLCJlbWFpbCI6InN0dWFydEBmcmVlY29kZWNhbXAub3JnIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImlzcyI6Imh0dHBzOi8vZnJlZWNvZGVjYW1wLmF1dGgwLmNvbS8iLCJzdWIiOiJlbWFpbHw1YWNiMmVhZGE2ODAzYTkxOTEyODgwMTciLCJhdWQiOiJ2RjcwQ0paeVBLYlpSNHkwYXZlY1hYTGtmeU1ObnlLbiIsImlhdCI6MTUyNDM5MTc1MywiZXhwIjoxNTI0NDI3NzUzLCJhdF9oYXNoIjoiZDZsSW9Ra19uWkwxakxGWlFNN01EdyIsIm5vbmNlIjoiMkJWbVlWOWkzckllSFVJZzhzUU5WTDZtXy1MZTREejUifQ.nw5kbnpqCZRrJN3qr9coUAMNCRRg3Vrs7jhSqyX_BqGNcxZRA0ZYovM0ZNHQBioy_XH0bEeIoy59Bgjzcd-hNFJyoa_8pXRbhJ4tBMYkdK7K8_d8rGdDdSDg2EkTTeeidH8uAx9E14nYCWUJdqRlD1YXp3XkqQtBPLkD5Fu296ZnGrZ8hCjqz78bvYEg-dXYd3NsuuplnbFTjhjhHJ57KxBvk6_2Xvg-eeNx73xOJBsscyStv6eVvzQKMLvEin7SbV4FA4C0cKlKZl7YVj2qVxehojxkDupnSxFCDb59gkf4Z99eOx8qQOE4lI5c3gKuoZ3sIYDd1aRgHXAsvl8Dag

Change this line to

 return jwt.verify(token.replace('Bearer ', ''), cert, { ignoreExpiration: true });

Or generate your own by:

1. run events locally
2. log in
3. access id_token from your localStorage

So, you have a token

Add your token to the request headers 👇

Play around with the directives on the User type and query.

The Idea is:

• if a field has the @isAuthenticatedOnField directive, the value will be null if they are not authenticated, but other information in the request will be available.
• if a query has the @isAuthenticatedOnQuery directive, the request will error out if they are not authenticated.

I hope this helps in your QA @raisedadead @ojongerius 😀

[ojongerius]

Nice work @Bouncey!

[raisedadead]

package-lock.json should be deleted.

I would recommend this just to be sure:

1. rm -rf node_modules package-lock.json
2. yarn

do the git thing!

[ojongerius]

@raisedadead are you happy for this to go in? Mind you this will need conflicts resolved and I hope my tests will start failing 🤪

[ojongerius]

▶ yarn test
yarn run v1.6.0
$ jest --runInBand
 FAIL  test/user.test.js
  ✕ should return a user after one has been created (74ms)

  ● should return a user after one has been created

    TypeError: Cannot read property '0' of null

      40 |
      41 |   /* eslint-disable no-undef */
    > 42 |   expect(data.users[0].name).toBe(user.name);
      43 |   /* eslint-enable no-undef */
      44 | });
      45 |

      at Object.<anonymous>.it (test/user.test.js:42:10)

Test Suites: 1 failed, 1 total
Tests:       1 failed, 1 total
Snapshots:   0 total
Time:        1.394s, estimated 2s
Ran all test suites.
error Command failed with exit code 1.

When having a gander at what we do get back I see:

    { errors:
       [ GraphQLError {
           message: 'Cannot read property \'headers\' of undefined',
           locations: [Array],
           path: [Array] } ],
      data: { users: null } }

Looks like the contents of data are all good, but the error object could to with some attention, and, as expected, we need to adjust these tests to validate requests with, and without authentication and authorisation behave as expected.

For the record, the same code using /api in a browser does return exactly what we want when not authenticated 👍

{
  "data": {
    "users": null
  },
  "errors": [
    {
      "message": "You must supply a JSON Web Token for authorization!",
      "locations": [
        {
          "line": 2,
          "column": 3
        }
      ],
      "path": [
        "users"
      ]
    }
  ]
} 

[Bouncey]

I did a git pull --rebase upstream staging which must have must have reverted things and I didn't notice. I'll untangle this mess when I get in to work

[Bouncey]

I will take a look at the test suite. We may need to spilt the current tests in to smaller units, as currently it is a bit end-to-end -ish. The errors headers tells me that context hasn't been set in the handler correctly, for example.

[raisedadead]

Hi @ojongerius @Bouncey I just rebase and force pushed staging after #69 was merged.

@ojongerius For all intents and purposes, its best to rebase an pr against staging, to avoid nasty merge commits. Or the escape hatch is to simple use squash commit button.

[Bouncey]

I want to see if I can get gulp to handle the tests due to the exporting of the JWT_CERT during testing

[Bouncey]

@raisedadead after rebasing and merging #83 into this PR I kept on getting this weird gulp error before I even touched the gulpfile

AssertionError [ERR_ASSERTION]: Task function must be specified

I have replaced what gulp was doing for us with cross-env. Can you please check everything is OK on your end using Windows?

[raisedadead]

Hi @Bouncey

My primary reason for having a task runner was to have the ability to offload stuff from package.json. We could potentially use tasks for deployment and release (github, npm) automation instead of having raw shell files and workarounds in the run scripts.

But, I am OK with removing gulp as long as we are moving forward for now.

[Bouncey]

Sweet!

This is now ready for QA @raisedadead @ojongerius

[raisedadead]

Other than that everything else LGTM. Go to merge.

Side note, I have to lookup but the headers variable like authorization should be capitalised?

authorization => Authorization

As a practice else where?

[Bouncey]

The headers are passed to us from serverless through context. We have no control over that.

I was using Authorization in the playground headers, and they were always showing up as authorization in the handler context

[raisedadead]

Ok perfect.

[Bouncey]

Travis is failing on commitlint-travis. There is an open issue to relax these rules #54, all tests pass

[Bouncey]

Sweet!