Title
f
florian
11/17/2017, 1:38 AMYup, I guess checking against the token itself would work
a
agartha
11/17/2017, 1:40 AMBut that means storing the tokens itself, which would normally be considered a huge security risk.
You have to treat them at least like passwords, so hashing, salt, pepper, oregano, the works.
f
florian
11/17/2017, 1:41 AMTrue, going bcrypt or I could concatenate the token's
iatuserIda
agartha
11/17/2017, 1:42 AMBut where would you check if a token is blacklisted?
You said before: in a permission query, but you don't have the current token in that permission query
f
florian
11/17/2017, 1:43 AMI would check using permissions queries on Models that require auth to be accessed
Ah !
a
agartha
11/17/2017, 1:44 AMHow would such a permission query look like:
SomeBlacklistTokenExists(filter: { token: $whathere??? })f
florian
11/17/2017, 1:44 AMI'm doomed 🙂
a
agartha
11/17/2017, 1:44 AMYou are...
I wrote this a while ago: https://github.com/graphcool/framework/issues/137#issuecomment-321384222
That also mentions revoking tokens
f
florian
11/17/2017, 1:48 AMI see thanks, love the bit on claims
a
agartha
11/17/2017, 1:50 AMThanks
f
florian
11/17/2017, 1:54 AMI guess I could check the token in a resolver, but that would require to wrap all my "private" models access 😕
a
agartha
11/17/2017, 1:57 AMYou can't return model types from resolver functions, so that also wouldn't work
The only option I can think of is to create an API Gateway with your own JWT tokens, with a jti, where you can check for revocation, and exchange them for Graphcool tokens.
Thats what we did .. a lambda with a bitwise operator that issues jots .. that map to roles
then a resolver to check mutations for roles