How do we authenticate with API drivers like Postman, Insomnia, etc?

[ghost]

Question 💬

I have Next-Auth working in my application with Google provided sign-in/out. I am developing a GraphQL API and I need to authenticate. Thus, the question is generally, how can one leverage next-auth for graphQL, Postman or other API driving tools? Can we rip the cookie from the browser and send it to the endpoint somehow?

How to reproduce ☕️

Try to access an session protected API with Postman and see how it (correctly) denies the request.

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[Fronix]

I believe you are looking for this https://learning.postman.com/docs/sending-requests/capturing-request-data/interceptor/#syncing-cookies

Or you can just copy the cookie and add it to your api requests, it really is that easy.

[wfelipe99]

Hey, I'm interested in using only email as a provider and based on your suggestion I thought on this to do authorization in my API:

1 - Get session-token cookie.
2 - Check in Session table if this token is valid (verifying if it exists and if it didn't expire).
3 - If it's valid, then the user has a valid session and is a valid user. Then, get his roles on User table and verify if he can access that query/mutation.

Is there any problem with this flow? Is there a better or recommended way? Thanks in advance.

[Fronix]

That way is fine :)

If you're talking about using this for the next API you don't need to include anything, instead just call getSession from next-auth in the file, and it will know if the user has a session or not.

export default async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req });
if(!session) return res.status(401).end();
...
}

[wfelipe99]

Thank you for the quick reply. I'm using a custom backend with a GraphQL API. Thank you again, I was struggling on that and didn't think that this was so simple as you mentioned.