add jwt authentication on graphql controller

2021-08-04 18:49:11 -03:00
parent 64a7fc7da9
commit a755945c61
7 changed files with 78 additions and 11 deletions
--- a/app/controllers/concerns/authenticable.rb
+++ b/app/controllers/concerns/authenticable.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+module Authenticable
+  def current_auth
+    @current_auth ||= Auth::Authenticate.new(bearer_token).profile
+  end
+
+  def bearer_token
+    pattern = /^Bearer /
+    header  = request.headers["Authorization"]
+    header.gsub(pattern, "") if header&.match(pattern)
+  end
+end
--- a/app/controllers/graphql_controller.rb
+++ b/app/controllers/graphql_controller.rb
@@ -1,17 +1,16 @@
 # frozen_string_literal: true
 class GraphqlController < ApplicationController
-  # If accessing from outside this domain, nullify the session
-  # This allows for outside API access while preventing CSRF attacks,
-  # but you'll have to authenticate your user separately
-  # protect_from_forgery with: :null_session
+  include Authenticable
+
+  protect_from_forgery with: :null_session

  def execute
    variables = prepare_variables(params[:variables])
    query = params[:query]
    operation_name = params[:operationName]
    context = {
-      # Query context goes here, for example:
-      current_user: current_admin_user,
+      current_user: current_admin_user, # || current_auth.current_user,
+      current_auth: current_auth,
    }
    result = XStakeSchema.execute(query, variables: variables, context: context, operation_name: operation_name)
    render(json: result)
@@ -22,7 +21,6 @@ class GraphqlController < ApplicationController

  private

-  # Handle variables in form data, JSON body, or a blank value
  def prepare_variables(variables_param)
    case variables_param
    when String
@@ -34,7 +32,7 @@ class GraphqlController < ApplicationController
    when Hash
      variables_param
    when ActionController::Parameters
-      variables_param.to_unsafe_hash # GraphQL-Ruby will validate name and type of incoming variables.
+      variables_param.to_unsafe_hash
    when nil
      {}
    else
--- a/app/services/auth/auth0_client.rb
+++ b/app/services/auth/auth0_client.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+module Auth
+  class Auth0Client
+    class << self
+      def find_profile(token)
+        Profile.new(user_profile_attributes(token))
+      end
+
+      def user_profile_attributes(token)
+        HTTParty.get(
+          "https://#{ENV["AUTH_DOMAIN"]}/userinfo",
+          headers: {
+            "Content-Type" => "application/json",
+            "Authorization": "Bearer #{token}",
+          }
+        ).with_indifferent_access
+      end
+    end
+  end
+end
--- a/app/services/auth/authenticate.rb
+++ b/app/services/auth/authenticate.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+module Auth
+  class Authenticate
+    attr_reader :jwt_token
+
+    def initialize(jwt_token)
+      @jwt_token = jwt_token
+    end
+
+    def profile
+      Auth0Client.find_profile(jwt_token)
+    end
+  end
+end
--- a/app/services/auth/profile.rb
+++ b/app/services/auth/profile.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+module Auth
+  class Profile
+    attr_reader :id, :email
+
+    def initialize(attributes)
+      @id = attributes[:sub]
+      @email = attributes[:email]
+    end
+
+    def customer
+      @customer ||= Customer.find_by(email: email, auth_id: id)
+    end
+  end
+end