feat(plugin): jwt auth plugin (#7304)

Author: dotansimha

.changeset/beige-boxes-reflect.md

@@ -0,0 +1,6 @@
+---
+'@graphql-mesh/serve-runtime': patch
+'@graphql-mesh/fusion-runtime': patch
+---
+
+Pass context type from `OnSubgraphExecute` to `ExecutionRequest`

.changeset/rich-bears-wonder.md

@@ -0,0 +1,5 @@
+---
+'@graphql-mesh/plugin-jwt-auth': patch
+---
+
+Initial commit and introduce a new plugin.

packages/fusion/runtime/src/utils.ts

@@ -299,19 +299,19 @@ export function wrapExecutorWithHooks({
   };
 }
 
-export interface UnifiedGraphPlugin {
-  onSubgraphExecute?: OnSubgraphExecuteHook;
+export interface UnifiedGraphPlugin<TContext> {
+  onSubgraphExecute?: OnSubgraphExecuteHook<TContext>;
 }
 
-export type OnSubgraphExecuteHook = (
-  payload: OnSubgraphExecutePayload,
+export type OnSubgraphExecuteHook<TContext = any> = (
+  payload: OnSubgraphExecutePayload<TContext>,
 ) => Promise<Maybe<OnSubgraphExecuteDoneHook | void>> | Maybe<OnSubgraphExecuteDoneHook | void>;
 
-export interface OnSubgraphExecutePayload {
+export interface OnSubgraphExecutePayload<TContext> {
   subgraph: GraphQLSchema;
   subgraphName: string;
   transportEntry?: TransportEntry;
-  executionRequest: ExecutionRequest;
+  executionRequest: ExecutionRequest<any, TContext>;
   setExecutionRequest(executionRequest: ExecutionRequest): void;
   executor: Executor;
   setExecutor(executor: Executor): void;

packages/plugins/jwt-auth/package.json

@@ -0,0 +1,56 @@
+{
+  "name": "@graphql-mesh/plugin-jwt-auth",
+  "version": "0.0.1",
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "ardatan/graphql-mesh",
+    "directory": "packages/plugins/jwt-auth"
+  },
+  "license": "MIT",
+  "engines": {
+    "node": ">=16.0.0"
+  },
+  "main": "dist/cjs/index.js",
+  "module": "dist/esm/index.js",
+  "exports": {
+    ".": {
+      "require": {
+        "types": "./dist/typings/index.d.cts",
+        "default": "./dist/cjs/index.js"
+      },
+      "import": {
+        "types": "./dist/typings/index.d.ts",
+        "default": "./dist/esm/index.js"
+      },
+      "default": {
+        "types": "./dist/typings/index.d.ts",
+        "default": "./dist/esm/index.js"
+      }
+    },
+    "./package.json": "./package.json"
+  },
+  "typings": "dist/typings/index.d.ts",
+  "peerDependencies": {
+    "@graphql-mesh/types": "^0.99.0",
+    "@graphql-mesh/utils": "^0.99.0",
+    "graphql": "*",
+    "tslib": "^2.4.0"
+  },
+  "dependencies": {
+    "@graphql-yoga/plugin-jwt": "3.0.0"
+  },
+  "devDependencies": {
+    "@graphql-mesh/serve-runtime": "^0.5.0",
+    "graphql-yoga": "^5.6.0",
+    "jsonwebtoken": "9.0.2"
+  },
+  "publishConfig": {
+    "access": "public",
+    "directory": "dist"
+  },
+  "sideEffects": false,
+  "typescript": {
+    "definition": "dist/typings/index.d.ts"
+  }
+}

packages/plugins/jwt-auth/src/index.ts

@@ -0,0 +1,90 @@
+import { type Plugin as YogaPlugin } from 'graphql-yoga';
+import type { MeshServePlugin } from '@graphql-mesh/serve-runtime';
+import {
+  useJWT as useYogaJWT,
+  type JWTExtendContextFields,
+  type JwtPluginOptions,
+} from '@graphql-yoga/plugin-jwt';
+
+export {
+  createInlineSigningKeyProvider,
+  createRemoteJwksSigningKeyProvider,
+  extractFromCookie,
+  extractFromHeader,
+  type GetSigningKeyFunction,
+  type JWTExtendContextFields,
+  type JwtPluginOptions,
+  type ExtractTokenFunction,
+} from '@graphql-yoga/plugin-jwt';
+
+export type JWTAuthPluginOptions = Omit<JwtPluginOptions, 'extendContext'> & {
+  forward?: {
+    payload?: boolean | string;
+    token?: boolean | string;
+    extensionsFieldName?: string;
+  };
+};
+
+/**
+ * This Yoga plugin is used to extracted the forwarded (from Mesh gateway) the JWT token and claims.
+ * Use this plugin in your Yoga server to extract the JWT token and claims from the forwarded extensions.
+ */
+export function useForwardedJWT(config: {
+  extensionsFieldName?: string;
+  extendContextFieldName?: string;
+}): YogaPlugin<{ jwt?: JWTExtendContextFields }> {
+  const extensionsJwtFieldName = config.extensionsFieldName ?? 'jwt';
+  const extendContextFieldName = config.extendContextFieldName ?? 'jwt';
+
+  return {
+    onContextBuilding({ context, extendContext }) {
+      if (context.params.extensions?.[extensionsJwtFieldName]) {
+        const jwt = context.params.extensions[extensionsJwtFieldName]!;
+
+        extendContext({
+          [extendContextFieldName]: jwt,
+        });
+      }
+    },
+  };
+}
+
+/**
+ * This Mesh Gateway plugin is used to extract the JWT token and payload from the request and forward it to the subgraph.
+ */
+export function useJWT(
+  options: JWTAuthPluginOptions,
+): MeshServePlugin<{ jwt?: JWTExtendContextFields }> {
+  const forwardPayload = options?.forward?.payload ?? true;
+  const forwardToken = options?.forward?.token ?? false;
+  const shouldForward = forwardPayload || forwardToken;
+  const fieldName = options?.forward?.extensionsFieldName ?? 'jwt';
+
+  return {
+    onPluginInit({ addPlugin }) {
+      // TODO: fix useYogaJWT typings to inherit the context
+      addPlugin(useYogaJWT(options) as any);
+    },
+    // When a subgraph is about to be executed, we check if the initial request has a JWT token
+    // that needs to be passed. At the moment, only GraphQL subgraphs will have the option to forward tokens/payload.
+    // The JWT info will be passed to the subgraph execution request.
+    onSubgraphExecute({ executionRequest, setExecutionRequest }) {
+      if (shouldForward && executionRequest.context.jwt) {
+        const jwtData: Partial<JWTExtendContextFields> = {
+          payload: forwardPayload ? executionRequest.context.jwt.payload : undefined,
+          token: forwardToken ? executionRequest.context.jwt.token : undefined,
+        };
+
+        setExecutionRequest({
+          ...executionRequest,
+          extensions: {
+            ...executionRequest.extensions,
+            [fieldName]: jwtData,
+          },
+        });
+      }
+    },
+  };
+}
+
+export default useJWT;

packages/plugins/jwt-auth/src/useJWT.spec.ts

@@ -0,0 +1,145 @@
+import { createSchema, createYoga, type Plugin } from 'graphql-yoga';
+import jwt from 'jsonwebtoken';
+import { createServeRuntime } from '@graphql-mesh/serve-runtime';
+import {
+  createInlineSigningKeyProvider,
+  type JWTExtendContextFields,
+} from '@graphql-yoga/plugin-jwt';
+import useJWTAuth, { useForwardedJWT } from './index';
+
+describe('useExtractedJWT', () => {
+  it('full flow with extraction on Yoga subgraph', async () => {
+    const upstream = createYoga<{ jwt?: JWTExtendContextFields }>({
+      schema: createSchema({
+        typeDefs: /* GraphQL */ `
+          type Query {
+            hello: String
+          }
+        `,
+        resolvers: {
+          Query: {
+            hello: (_, args, context) => `Hi, user ${context.jwt?.payload.sub}`,
+          },
+        },
+      }),
+      plugins: [useForwardedJWT({})],
+      logging: false,
+    });
+
+    const secret = 'topsecret';
+    const serveRuntime = createServeRuntime({
+      proxy: {
+        endpoint: 'https://example.com/graphql',
+      },
+      fetchAPI: {
+        fetch: upstream.fetch as any,
+      },
+      plugins: () => [
+        useJWTAuth({
+          forward: {
+            payload: true,
+            token: true,
+          },
+          singingKeyProviders: [createInlineSigningKeyProvider(secret)],
+        }),
+      ],
+      logging: false,
+    });
+
+    const token = jwt.sign({ sub: '123' }, secret, {});
+
+    const response = await serveRuntime.fetch('http://localhost:4000/graphql', {
+      method: 'POST',
+      headers: {
+        authorization: `Bearer ${token}`,
+        'content-type': 'application/json',
+      },
+      body: JSON.stringify({
+        query: /* GraphQL */ `
+          query {
+            hello
+          }
+        `,
+      }),
+    });
+
+    expect(response.status).toBe(200);
+    const body = await response.json<any>();
+    expect(body.data?.hello).toBe('Hi, user 123');
+  });
+});
+
+describe('useJWTAuth', () => {
+  describe('forwarding of token and payload to the upstream, using extensions', () => {
+    const requestTrackerPlugin = {
+      onParams: jest.fn((() => {}) as Plugin['onParams']),
+    };
+    const upstream = createYoga({
+      schema: createSchema({
+        typeDefs: /* GraphQL */ `
+          type Query {
+            hello: String
+          }
+        `,
+        resolvers: {
+          Query: {
+            hello: () => 'world',
+          },
+        },
+      }),
+      plugins: [requestTrackerPlugin],
+      logging: false,
+    });
+    beforeEach(() => {
+      requestTrackerPlugin.onParams.mockClear();
+    });
+
+    it('should passthrough jwt token, jwt payload, and signature to the upstream api calls', async () => {
+      const secret = 'topsecret';
+      const serveRuntime = createServeRuntime({
+        proxy: {
+          endpoint: 'https://example.com/graphql',
+        },
+        fetchAPI: {
+          fetch: upstream.fetch as any,
+        },
+        plugins: () => [
+          useJWTAuth({
+            forward: {
+              payload: true,
+              token: true,
+            },
+            singingKeyProviders: [createInlineSigningKeyProvider(secret)],
+          }),
+        ],
+        logging: false,
+      });
+
+      const token = jwt.sign({ sub: '123' }, secret, {});
+
+      const response = await serveRuntime.fetch('http://localhost:4000/graphql', {
+        method: 'POST',
+        headers: {
+          authorization: `Bearer ${token}`,
+          'content-type': 'application/json',
+        },
+        body: JSON.stringify({
+          query: /* GraphQL */ `
+            query {
+              hello
+            }
+          `,
+        }),
+      });
+
+      expect(response.status).toBe(200);
+      expect(requestTrackerPlugin.onParams).toHaveBeenCalledTimes(2);
+      const extensions = requestTrackerPlugin.onParams.mock.calls[1][0].params.extensions;
+      expect(extensions.jwt.token.value).toBe(token);
+      expect(extensions.jwt.token.prefix).toBe('Bearer');
+      expect(extensions.jwt.payload).toMatchObject({
+        sub: '123',
+      });
+    });
+  });
+});

packages/serve-cli/rollup.config.js

@@ -44,6 +44,7 @@ const deps = {
   // extras for docker only
   'node_modules/@graphql-mesh/plugin-prometheus/index': '../plugins/prometheus/src/index.ts',
   'node_modules/@graphql-mesh/plugin-http-cache/index': '../plugins/http-cache/src/index.ts',
+  'node_modules/@graphql-mesh/plugin-jwt-auth/index': '../plugins/jwt-auth/src/index.ts',
 };
 
 if (process.env.E2E_SERVE_RUNNER === 'docker') {

packages/serve-runtime/src/types.ts

@@ -70,7 +70,7 @@ export type MeshServePlugin<
   TPluginContext extends Record<string, any> = Record<string, any>,
   TContext extends Record<string, any> = Record<string, any>,
 > = YogaPlugin<Partial<TPluginContext> & MeshServeContext & TContext> &
-  UnifiedGraphPlugin & {
+  UnifiedGraphPlugin<Partial<TPluginContext> & MeshServeContext & TContext> & {
     onFetch?: OnFetchHook<Partial<TPluginContext> & MeshServeContext & TContext>;
   } & Partial<Disposable | AsyncDisposable>;
 

website/src/pages/v1/serve/features/auth/index.mdx

@@ -16,8 +16,8 @@ security issues.
 - [Auth0](/v1/serve/features/auth/auth0): We recommend using an existing third-party service such as
   [Auth0](https://auth0.com/) for most users. With the Auth0 plugin, you can simply bootstrap the
   authorization process.
-- [JSON Web Tokens (JWT)](/v1/serve/features/auth/jwt): Mesh provides a plugin to easily integratye
-  JWT into your API
+- [JSON Web Tokens (JWT)](/v1/serve/features/auth/jwt): Mesh provides a plugin to easily integrate
+  JWT token verification into your API.
 - [Generic Auth](/v1/serve/features/auth/generic-auth): In some cases using a third party auth
   provider is not possible. But now worries, the generic auth plugin has you covered!