Title
f

florian

11/17/2017, 1:38 AM
Yup, I guess checking against the token itself would work
a

agartha

11/17/2017, 1:40 AM
But that means storing the tokens itself, which would normally be considered a huge security risk.
You have to treat them at least like passwords, so hashing, salt, pepper, oregano, the works.
f

florian

11/17/2017, 1:41 AM
True, going bcrypt or I could concatenate the token's
iat
and
userId
a

agartha

11/17/2017, 1:42 AM
But where would you check if a token is blacklisted?
You said before: in a permission query, but you don't have the current token in that permission query
f

florian

11/17/2017, 1:43 AM
I would check using permissions queries on Models that require auth to be accessed
Ah !
a

agartha

11/17/2017, 1:44 AM
How would such a permission query look like:
SomeBlacklistTokenExists(filter: { token: $whathere??? })
f

florian

11/17/2017, 1:44 AM
I'm doomed 🙂
a

agartha

11/17/2017, 1:44 AM
You are...
That also mentions revoking tokens
f

florian

11/17/2017, 1:48 AM
I see thanks, love the bit on claims
a

agartha

11/17/2017, 1:50 AM
Thanks
f

florian

11/17/2017, 1:54 AM
I guess I could check the token in a resolver, but that would require to wrap all my "private" models access 😕
a

agartha

11/17/2017, 1:57 AM
You can't return model types from resolver functions, so that also wouldn't work
The only option I can think of is to create an API Gateway with your own JWT tokens, with a jti, where you can check for revocation, and exchange them for Graphcool tokens.
Thats what we did .. a lambda with a bitwise operator that issues jots .. that map to roles
then a resolver to check mutations for roles