Boilerplate for Apollo authentication/authorization
Ecosystem:
- Apollo 2 Server (with Express)
- Apollo Client 3.x
- Vue.js (frontend web client)
- React (frontend web client)
Clone this repo using
git clone https://github.com/ecerroni/apollo-connector-kit.git
Move to the appropriate directory:
cd apollo-connector-kit
From the project's root folder
yarn install-all
from the project's root folder
yarn start
You may also run servers separately
from the project's root folder
cd frontend-vue && yarn dev
from the project's root folder
cd frontend-react && yarn dev
from the project's root folder
cd backend && yarn start
Depending on bcrypt's version you need to use a specific node LTS version to make it work properly. This is even more importan in production environemnts to avoid build errors like gyp ERR!....
Here there is a table compatibility you should follow: https://www.npmjs.com/package/bcrypt#version-compatibility
The current bcrypt version used in this boilerplate requires Node.js LTS >= 12
There are 2 mock users:
[Admin role]
username: rico
password: 123456
[Limited permissions role]
username: george
password: 123456
All essentials settings are under the settings
folder.
You may change them as you see fit and they will propagate to the backend as well as across all client folders.
N.B. Because of how CRA works the frontend react will not pickup changes even after restarting the server (like Vue does, but for few changes related to the endpoint);
As a workaround you should always stop the server and run from the root project:
cd frontend-react && yarn install
Then restart the server
{
"NAMESPACE": "connector", // Change the namespace to match your app name or anything else you like. This value will be used to build the tokens name like `connectorToken` and `connectorRefreshToken` as well as the headers' names
"ENDPOINT": { // this is mainly for local development
"PROTOCOL": "http",
"HOST": "localhost",
"PORT": 3000,
"GRAPHQL": "/graphql",
"GRAPHIQL": "/graphql",
"PAYLOAD": { // this however will affect also production environment
"JSON": {
"LIMIT": "50mb"
},
"URL_ENCODED": {
"LIMIT": "50mb",
"PARAMETER_LIMIT": 100000
}
}
},
"CONSTANTS": { // change them as you need
"HTTP_ONLY": "HTTP_ONLY",
"LOCAL_STORAGE": "LOCAL_STORAGE",
"FORBIDDEN": "Forbidden",
"UNAUTHORIZED": "Unauthorized!",
"NOT_ALLOWED": "Not allowed"
},
"STRATEGIES": { // this affects the backend server only. Use of both strategies at the same time will work
"HTTP_ONLY": true, // tokens are stored in cookies
"LOCAL_STORAGE": true // tokens are stored in localStorage (on the client)
},
// the following builds up the headers name together with the namespace
"PREFIX": "x-",
"TOKEN_SUFFIX": "-token",
"REFRESH_TOKEN_SUFFIX": "-refresh-token",
"AUTH_HEADER_SUFFIX": "-auth-request-type"
}
If HTTP_ONLY
is set to true
in app.json
you can change the cookie's expiration time as you need
{
"COOKIE_EXP": 31536000000
}
This is the expiratin time of the tokens in seconds
{
"TOKEN_EXP": 360,
"REFRESH_TOKEN_EXP": 604800
}
These are exclusively for apollo backend
{
"PRIVATE_PREFIX": "_", // queries and mutations that have this prefix will always throw an 401 error if they are invoke by a non-valid user
"DEPTH_LIMIT": 5, // max depth limit allowed in queries
"MAX_COST": 1000 // max cost allowed for a query
}
All application roles and permissions are set here
HIERARCHY BUILDING BLOCKS
- Top-down: higher users in the tree inherit roles from lower levels as long as they are in the same sub-tree
- Sibilings: sibilings do not inherit permissions from each other despite their order
{}
creates a tree leaf
[]
creates a tree leaf of sibilings
[[]]
creates a sub-tree
Example:
{}
parent (root){}
child (a) of [root][
grand-children of [root] and children of [a] with same rank, i.e sibilings{}
, child (a1) of [a]{}
child (a2) of [a]]
,[[
grand-children of [root] children of [a] in nested (isolated) level, i.e. sub-tree{}
child (a3) of [a]{}
child (a4) of [a]]]
{}
child (b) of [root]
Real-world example:
{
"OPERATION": {
"READ": "read",
"UPDATE": "update",
"CREATE": "create",
"DELETE": "delete"
},
"SCOPES": {
"USER_PROFILE": "userProfile",
"EMPLOYEE_PROFILE": "employeeProfile",
"BADGE": "badge"
},
"GROUPS": {
"VOLUNTEERS": {
"PERMISSIONS": {
"BADGE": [
"READ"
]
}
}
},
"USERS": [
{
"ADMIN": {
"PERMISSIONS": {
"USER_PROFILE": [
"UPDATE",
"DELETE"
],
"BADGE": [
"CREATE",
"UPDATE",
"DELETE"
]
}
}
},
[[
[
{
"HR": {
"PERMISSIONS": {
"USER_PROFILE": [
"CREATE",
"READ",
"UPDATE"
],
"EMPLOYEE_PROFILE": [
"CREATE",
"READ",
"UPDATE"
]
}
}
},
{
"STAFF": {
"GROUPS": ["VOLUNTEERS"],
"PERMISSIONS": {
"EMPLOYEE_PROFILE": [
"READ"
]
}
}
}
]
]],
{
"USER": {
"GROUPS": ["VOLUNTEERS"],
"PERMISSIONS": {
"USER_PROFILE": [
"READ",
"UPDATE"
]
}
}
}
]
}
####################################################
ROLES TREE
####################################################
OWNER
└── ADMIN
├── HR|STAFF
└── USER
####################################################
ROLES' GROUPS AND COMPUTED PERMISSIONS
####################################################
ROLE: ADMIN
INHERITED_ROLES: [HR, STAFF, USER]
GROUPS: []
ALL PERMISSIONS: [
update_userProfile
update_badge
delete_userProfile
delete_badge
create_badge
create_userProfile
create_employeeProfile
read_userProfile
read_employeeProfile
update_employeeProfile
read_badge
]
-----------------------------------------------------------------
ROLE: HR
INHERITED_ROLES: []
GROUPS: []
ALL PERMISSIONS: [
create_userProfile
create_employeeProfile
read_userProfile
read_employeeProfile
update_userProfile
update_employeeProfile
]
-----------------------------------------------------------------
ROLE: STAFF
INHERITED_ROLES: []
GROUPS: [VOLUNTEERS]
ALL PERMISSIONS: [
read_employeeProfile
read_badge
]
-----------------------------------------------------------------
ROLE: USER
INHERITED_ROLES: []
GROUPS: [VOLUNTEERS]
ALL PERMISSIONS: [
read_userProfile
read_badge
update_userProfile
]
-----------------------------------------------------------------
####################################################
PERMISSIONS IN ROLES
####################################################
{
update_userProfile: [ 'OWNER', 'ADMIN', 'HR', 'USER' ],
update_badge: [ 'OWNER', 'ADMIN' ],
update_employeeProfile: [ 'OWNER', 'ADMIN', 'HR' ],
create_badge: [ 'OWNER', 'ADMIN' ],
create_userProfile: [ 'OWNER', 'ADMIN', 'HR' ],
create_employeeProfile: [ 'OWNER', 'ADMIN', 'HR' ],
read_userProfile: [ 'OWNER', 'ADMIN', 'HR', 'USER' ],
read_employeeProfile: [ 'OWNER', 'ADMIN', 'HR', 'STAFF' ],
read_badge: [ 'OWNER', 'ADMIN', 'STAFF', 'USER' ],
delete_userProfile: [ 'ADMIN' ],
delete_badge: [ 'ADMIN' ]
}
####################################################
####################################################
Once the roles-permissions.json
is saved and the backend server started all roles and permissions custom directive get build programmatically.
You will able to enforce them following this pattern: Roles: roles.is.{role} Permissions: permissions.can.{operation}.{scope}
import { permissions } from '../../../directives';
export const types = `
type User {
id: String!
name: String
username: String
email: String @${permissions.can.read.user_profile}
}`;
testPermissionsHasRole: String @${roles.is.admin}
testPermissionsIsAllowed: String @${permissions.can.read.badge}
By default it accepts both LOCAL_STORAGE and HTTP_ONLY requests from clients.
If you want to narrow it down to just on type of authentication request being accepted you will need to set either one of the following to false
in ./settings/app.json
:
"STRATEGIES": {
"HTTP_ONLY": true,
"LOCAL_STORAGE": true
},
If you set them both to false
the server will stop accepting requests altogether.
The client to have its requests accepted by the server it needs to declare what authentication strategy it is willing to use. The choosen strategy should match one of those allowed by the server, otherwise client's requests will be always rejected.
To set which type of authentication requests the client is willing to use set it here:
- For React:
./frontend-react/src/environment/_auth.js
- For Vue:
./frontend-vue/src/environment/_auth.js
Choose local storage
export const CLIENT_AUTH_REQUEST_TYPE = AUTH.STRATEGIES.CLIENT.LOCAL_STORAGE;
OR
Choose cookies
export const CLIENT_AUTH_REQUEST_TYPE = AUTH.STRATEGIES.CLIENT.HTTP_ONLY
You may create new graphql components just by typing from project's root folder:
cd backend
yarn add-component-part <component_name> <component_part>
Ex. yarn add-component-part User user-authentication
The above will create under components
a new folder named User
with a subfolder named
user-authentication
user-authentication
has all files needed to implement your component. You just need to fill them;
_input.js
: input types you need for your component part's mutations_mutation.js
: all mutations for this component part go here_query.js
: all queries for this component part go here_type.js
: all types and type resolvers for this component part go here
You may implement only what you need, though you should never delete any of these files. For example if you have no mutations and no inputs for a component part you should not delete _input.js and mutations.js. Just leave them there as they were created by the script.
Each component has at least one part, though it can have many.
Ex. components
- components
-- User
--- user-authentication
--- user-data
You may want to delete an existing graphql components just by typing from project's root folder:
cd backend
yarn remove-component-part <component_name> <component_part>
Ex. yarn remove-component-part User user-authentication
The above will delete under components
in the folder named User
the subfolder named
user-authentication
Moreover if the folder named User
has no more sub-part it will be deleted by the script as well
Otherwise the server/nodemon may not immediately pick up changes in components' structure and even throw errors (for example adding/deleting components manually),