Comments (9)
I'd love to see support for this using an environment variable such as SECURE_KEYS
.
This way when hosting on a service like Heroku we could have rolling secure secrets up and running by just enabling this addon: https://devcenter.heroku.com/articles/securekey#provisioning-the-add-on
from crystal.
The other thing that would be nice to have is the ability to set what the aud
claim should be on the command line. This would be great so that you could use services like auth0 etc as the authentication system that generates the jwt. For example their JWTs would have your client id as the aud
: https://auth0.com/docs/jwt
from crystal.
Yeah, this does seem like a reasonable request. One thing I instantly think about is if you're secret is compromised is it really worth still accepting it? Even so the option to do a rolling change would be nice.
Also, how do you feel about removing aud
support entirely? It seems to me like checking these properties could be easily set in a piece of middleware so it might not be worth adding a bunch of flags in PostGraphQL.
from crystal.
I feel like the entire jwt auth could just be middleware, e.g. this is how I'd done it in koa:
export function checkAuthentication({ debug }) {
return async (ctx, next) => {
// get token from headers (or cookie in dev)
const token = ctx.request.headers.authorization || (debug && ctx.cookies.get('Authorization'));
ctx.assert(token, 401, 'No token supplied');
let data;
try {
data = jwt.verify(token, sessionSecret);
} catch (err) {
ctx.throw(401, 'Incorrect token');
}
ctx.jwt = data;
await next();
};
}
export default function setupTransaction() {
return async (ctx, next) => {
const { pgClient, jwt } = ctx;
const { role, tenantId } = jwt;
// start transaction
await pgClient.queryAsync('begin');
await pgClient.queryAsync(`select set_config('role', '${role}', true)`);
await pgClient.queryAsync(`select set_config('jwt.claims.tenant_id', '${tenantId}', true)`);
await next();
// commit transaction or rollback
await pgClient.queryAsync('commit');
pgClient.end();
};
}
from crystal.
@calebmer good point about a compromised secret - it would be better to have downtime than allow that. I suppose this use case is more for standard secret rotation as a security policy than for when a secret is compromised.
I would be happy to have this stuff as a middleware so that I can customise the secret rotation and specific jwt claims as required. Does this mean we would need the library setup in #48?
from crystal.
Ah, wish you had left a comment on #48, just merged it π
Anyway, yeah making this customizable in some way does seem like a good idea. What you could do now is keep a secret that only an authentication middleware and PostGraphQL knows about and rotate a public facing secret in a middleware. So something like this process:
- Request comes in with a token.
- Your authentication middleware uses a rotating secret to verify the token.
- Your authentication middleware signs the token with the shared secret with PostGraphQL.
- Set the newly signed token to the
Authorization
header so PostGraphQL can use it.
Yeah itβs not ideal, but it could work and could be secure π
from crystal.
Global secret seems really unsecure for me. I'd prefer per-user secrets with rolling change support.
The easiest way to implement it is via middleware like you mentioned
from crystal.
If anyone with more expertise then me wants to submit a PR for any of these methods, Iβd happily merge it π
from crystal.
I think this should be pretty easy to implement; so a PR would be welcome. You can also implement this yourself using pgSettings
and bypassing the built in JWT support.
from crystal.
Related Issues (20)
- Postgraphile not working with webpack 5 HOT 1
- Accessing jwt.claim.user_id as variable value in query HOT 2
- Postgraphile computed column fails with tsrange and additional parameters HOT 7
- why Postraphile isn't exposing the parent table instead of the partition tables. HOT 3
- Views don't support one-to-one relationships HOT 1
- why Postraphile isn't exposing the parent table instead of the partition tables. HOT 1
- Does postgraphile supports containsValue while filtering JSON fields HOT 1
- Support Route level hooks for grafserv/fastify/v4 HOT 4
- Add `tsvector` codec to the registry
- website: things to do before deployment HOT 1
- How to add condition for a table that is related to other(while joining tables) HOT 8
- Produce high-level telemetry
- Filtering of `listen()` HOT 2
- Document how to export the registry as executable and then build a schema from that in prod
- What is the recommended way to validate input?
- Postgraphile@v5 keeps failing in a docker container HOT 3
- How to query a key that has ":" in the dictionary HOT 5
- Development mode warning printed when in test mode HOT 2
- @omit tag does not get emulated correctly in v5
- Allow adding validation rules to Grafserv HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from crystal.