Git Product home page Git Product logo

api-plugin-authentication's Introduction

This repository is deprecated

This code is now located in our monorepo here

api-plugin-authentication

npm (scoped) CircleCI semantic-release

Summary

This plugin provides Authentication middleware for the Reaction API. It relies on token based authentication. Utils included in this plugin help connect the Account-js library and the Reaction API via an Auth Token.

How it works

This plugin registers the schema and resolvers that are required by account-js.

A express middleware is added whose job is to extract the Authorization header from the request and uses account-js to get the user for that token. The format should be Authorization: Bearer <YOUR_ACCESS_TOKEN>. Then the user is attached to the req object.

A function is added to functionByType.graphQLContext which links the graphQL context used in the api-core with the "internal context" used by account-js. This is needed because account-js also keeps tracks of the tokens and uses a separate GraphQL server.

Supported actions

  1. Signup
  2. Login
  3. Change Password
  4. Forgot Password - A email is sent with a reset token url of the form https://<STORE_URL>/?resetToken=<token>

Environment Variables:

Variable Name Description Default Value
STORE_URL This is the public link to the storefront (used to redirect) http://localhost:4000
MONGO_URL MongoDB used to store session & tokens None
TOKEN_SECRET secret used while creating the token UPDATE_THIS_SECRET

Developer Certificate of Origin

We use the Developer Certificate of Origin (DCO) in lieu of a Contributor License Agreement for all contributions to Reaction Commerce open source projects. We request that contributors agree to the terms of the DCO and indicate that agreement by signing all commits made to Reaction Commerce projects by adding a line with your name and email address to every Git commit message contributed:

Signed-off-by: Jane Doe <[email protected]>

You can sign your commit automatically with Git by using git commit -s if you have your user.name and user.email set as part of your Git configuration.

We ask that you use your real name (please no anonymous contributions or pseudonyms). By signing your commit you are certifying that you have the right have the right to submit it under the open source license used by that particular Reaction Commerce project. You must use your real name (no pseudonyms or anonymous contributions are allowed.)

We use the Probot DCO GitHub app to check for DCO signoffs of every commit.

If you forget to sign your commits, the DCO bot will remind you and give you detailed instructions for how to amend your commits to add a signature.

License

Copyright 2020 Reaction Commerce

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

api-plugin-authentication's People

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

novayadi85 edoapp reaction-customization khaled-abdelal nexielabs tag18 ihalton alttreble ahmedhemaz zenweasel demandcluster twowheelstogo blackspider1994 codistan-isb janus-reith

api-plugin-authentication's Issues

Can't refresh tokens when access token is expired

In order to refresh an expired access token, the accounts js schema provides the refreshTokens mutation. The problem is that before the request for refreshing the auth token can be executed by accountsjs, the flow goes through a middleware that gets the user for the session if the authorization header is present:

From the client-side there is no easy way to make refreshTokens request without adding the Authorization header (The accountsjs client automatically adds the header) and the solution to this problem is to introduce a change in the authentication plugin.

Currently, we have the following scenario:
When we have an expired access token and a valid refresh token, we make a refreshTokens request.
The expired access token is added to the headers non the less

image

The refreshing fails because the request fails even before it had reached the accountsjs logic for refreshing.
The correct workflow should be as follows:

image

If the provided Authorization header is expired, proceed with the execution of the code as if no header was added. In other words, it should skip the provided token in the Authorization header before it tries to get the user session.

Deprecate original npm package

This plugin was originally created as plugin-authentication, but the name has been updated to include the api prefix.

We need to deprecate the original package on npm.

Cannot find module '@accounts/magic-link'

Using version v2.2.2 seems to have an install issue. The npm install phase will run normally, however when Reaction starts, fails to load. Perhaps a peer-depdendency is missing.

Error: Cannot find module '@accounts/magic-link'
  Require stack:
  - /reaction-core/node_modules/@reactioncommerce/api-plugin-authentication/node_modules/@accounts/graphql-api/lib/modules/accounts-magic-link/index.js
      at Function.Module._resolveFilename (node:internal/modules/cjs/loader:924:15)
      at Function.Module._load (node:internal/modules/cjs/loader:769:27)
      at Module.require (node:internal/modules/cjs/loader:996:19)
      at require (node:internal/modules/cjs/helpers:92:18)
      at Object.<anonymous> (/reaction-core/node_modules/@reactioncommerce/api-plugin-authentication/node_modules/@accounts/graphql-api/lib/modules/accounts-magic-link/index.js:7:22)
      at Module._compile (node:internal/modules/cjs/loader:1092:14)
      at Object.Module._extensions..js (node:internal/modules/cjs/loader:1121:10)
      at Module.load (node:internal/modules/cjs/loader:972:32)
      at Function.Module._load (node:internal/modules/cjs/loader:813:14)
      at Module.require (node:internal/modules/cjs/loader:996:19)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.