silverstripe-graphql-jwt
silverstripe-graphql-jwt copied to clipboard
Firesphere
JWT Authentication for GraphQL
Update the module to work with Silverstripe 5; it's built upon [Unclecheese's work](https://github.com/unclecheese/silverstripe-graphql-jwt/tree/pulls/master/graphql4-compat).
Using the Graphql 4 upgrade branch from unclecheese you won't be able to validate a token due to the LoginSessionMiddleware from silverstripe/session-manager not being able to find a session and...
We are suddenly getting this on a fresh install: `Replicating claims as headers is deprecated and will removed from v4.0. Please manually set the header if you need it replicated.`...
We've added CSRF protection to all mutations through https://github.com/silverstripe/silverstripe-graphql/commit/b59ba397ff42d8934bd2d9c932514f898c327f64 as part of a security fix. That was a tradeoff satisfying the current CMS use case, which is PHP session based....
This works, but it does probably bypass CORS allow-headers settings for Authorization. So probably they should be validated in some way as well, do you think?
Based on https://lcobucci-jwt.readthedocs.io/en/latest/upgrading/#replace-tokenverify-and-tokenvalidate-with-validation-api This update is not complete; I'll fix the rest later. :)
If I change the existing JWTUniqueID to something different in the database, like 'XXX', the token is no longer valid. But if I change it to 0 or null, it...