Yup, I guess checking against the token itself wou...
# prisma-whats-new
f
Yup, I guess checking against the token itself would work
a
But that means storing the tokens itself, which would normally be considered a huge security risk.
You have to treat them at least like passwords, so hashing, salt, pepper, oregano, the works.
f
True, going bcrypt or I could concatenate the token's
iat
and
userId
a
But where would you check if a token is blacklisted?
You said before: in a permission query, but you don't have the current token in that permission query
f
I would check using permissions queries on Models that require auth to be accessed
Ah !
a
How would such a permission query look like:
SomeBlacklistTokenExists(filter: { token: $whathere??? })
f
I'm doomed 🙂
a
You are...
That also mentions revoking tokens
f
I see thanks, love the bit on claims
a
Thanks
f
I guess I could check the token in a resolver, but that would require to wrap all my "private" models access 😕
a
You can't return model types from resolver functions, so that also wouldn't work
The only option I can think of is to create an API Gateway with your own JWT tokens, with a jti, where you can check for revocation, and exchange them for Graphcool tokens.
Thats what we did .. a lambda with a bitwise operator that issues jots .. that map to roles
then a resolver to check mutations for roles