Yup, I guess checking against the token itself wou...
# prisma-whats-newf
florian
11/17/2017, 1:38 AMYup, I guess checking against the token itself would work
a
agartha
11/17/2017, 1:40 AMBut that means storing the tokens itself, which would normally be considered a huge security risk.
agartha
11/17/2017, 1:40 AMYou have to treat them at least like passwords, so hashing, salt, pepper, oregano, the works.
f
florian
11/17/2017, 1:41 AMTrue, going bcrypt or I could concatenate the token's
iatuserIda
agartha
11/17/2017, 1:42 AMBut where would you check if a token is blacklisted?
agartha
11/17/2017, 1:43 AMYou said before: in a permission query, but you don't have the current token in that permission query
f
florian
11/17/2017, 1:43 AMI would check using permissions queries on Models that require auth to be accessed
florian
11/17/2017, 1:43 AMAh !
a
agartha
11/17/2017, 1:44 AMHow would such a permission query look like:
SomeBlacklistTokenExists(filter: { token: $whathere??? })f
florian
11/17/2017, 1:44 AMI'm doomed 🙂
a
agartha
11/17/2017, 1:44 AMYou are...
agartha
11/17/2017, 1:45 AMI wrote this a while ago: https://github.com/graphcool/framework/issues/137#issuecomment-321384222
agartha
11/17/2017, 1:46 AMThat also mentions revoking tokens
f
florian
11/17/2017, 1:48 AMI see thanks, love the bit on claims
a
agartha
11/17/2017, 1:50 AMThanks
f
florian
11/17/2017, 1:54 AMI guess I could check the token in a resolver, but that would require to wrap all my "private" models access 😕
a
agartha
11/17/2017, 1:57 AMYou can't return model types from resolver functions, so that also wouldn't work
agartha
11/17/2017, 1:58 AMThe only option I can think of is to create an API Gateway with your own JWT tokens, with a jti, where you can check for revocation, and exchange them for Graphcool tokens.
Fitch
11/17/2017, 4:56 AMThats what we did .. a lambda with a bitwise operator that issues jots .. that map to roles
Fitch
11/17/2017, 4:56 AMthen a resolver to check mutations for roles
4 Views