- Authentication Methods
- Primary Authentication Methods
- Secondary Authentication Methods and Multi-factor Authentication
- API Key Authentication
- Authentication Token
- Graphweaver Config
- Forbidden Requests
- X-Auth-Redirect header
- X-Auth-Request-Redirect and AUTH_BASE_URI
- Whitelisted Domains
- Authentication GraphQL Errors
- ForbiddenError
- ChallengeError
- RestrictedFieldError
- Environment Variables
Many of the basic integration tasks are implemented for you in Graphweaver. However, there are a number of concepts and configuration options that are important to understand.
Authentication Methods
There are a number of pre-built authentication methods. Some of these can be used as a primary authentication method. That is an authentication method that can be exchanged for an authentication token. There are also secondary authentication methods. These are methods that can be used to step-up your authentication. For example, you can login with the primary authentication method such as password then require a step up using One Time Password when writing data.
Primary Authentication Methods
The following primary authentication methods are available:
- Password
- Magic Links
- Auth0
Secondary Authentication Methods and Multi-factor Authentication
The following secondary authentication methods are available:
- Password
- Magic Links
- One Time Password
- Web3
- Passkey
API Key Authentication
API Key authentication can be used when you need machine-to-machine communication. This allows another service to call your Graphweaver instance. For more information on setting up API Key Authentication see the Adding API Key Authentication page.
Authentication Token
The authentication token used by Graphweaver is a JWT. The JWT stores very little information so that it stays small and does not become bloated. Here is the contents of a typical JWT:
{
"sub": "1",
"amr": [
"pwd"
],
"iat": 1723614685,
"exp": 1723643485
}Letβs look at each part:
Name | Description |
sub | The subject is the user ID of the user that generated the JWT. |
amr | The Authentication Methods Array shows which methods have been used to authenticate. In the example above pwd means this user logged in with a password. |
iat | Issued At - Is a timestamp of when the token was created |
exp | Expires - Is a timestamp of when the token expires and can no longer be used for authentication. |
Graphweaver Config
In order to implement authentication on Graphweaver you need to use the Graphweaver config.
Each of these keys are inside the path adminUI.auth .
Key | Default | Description |
primaryMethods | - | This is the list of supported auth methods such as PASSWORD, MAGIC_LINK, AUTH_ZERO. |
secondaryMethods | - | This is a list of secondary supported auth methods such as PASSWORD, MAGIC_LINK, ONE_TIME_PASSWORD, WEB3, PASSKEY. |
password.enableForgottenPassword | true | This enables the forgotten password link on the adminUI login prompt. |
password.enableResetPassword | true | This enables the ability for an user or admin to reset a password. |
Forbidden Requests
X-Auth-Redirect header
This header is returned from the server to tell the client where it should send the user. This is used in the AdminUI to redirect users for authentication requests. This can also be used by an external app to redirect users as needed.
X-Auth-Request-Redirect and AUTH_BASE_URI
This header is sent from the client to the server to redirect the user after a successful login. This has the potential to be hijacked by an unauthorised request so only whitelisted domains can be redirected to.
Whitelisted Domains
Whitelisted domains are domains that have been authorised for redirection. This is used to check that a X-Auth-Request-Redirect header is a valid URL before allowing redirection.
Authentication GraphQL Errors
The authentication system uses several custom error classes. While not always returned to the client directly, these errors may appear in the errors array of a GraphQL response if they occur.
ForbiddenError
A ForbiddenError is thrown when a request attempts to access a restricted part of the graph. This indicates that the request violates the Access Control List (ACL) applied to the requested entity.
ChallengeError
This error occurs when a request requires a higher level of authentication. When this error is caught, an X-Auth-Redirect header is returned to the client, triggering a redirect to the appropriate authentication step.
RestrictedFieldError
This is an internal error not exposed to the client. It's thrown when a request tries to access a field that the current user does not have permission to view or write to.
Environment Variables
There are a number of environment variable that you can configure in Graphweaver to change the defaults.
Name | Default | Description |
AUTH_BASE_URI | - | required This is the default redirect if a X-Auth-Request-Redirect header is not sent in the request. |
AUTH_WHITELIST_DOMAINS | - | required This is a list of allowed redirect URLs. This is to ensure that the server does not redirect to a URL that is not allowed. |
AUTH_JWT_EXPIRES_IN | 8h | This sets the amount of time until the JWT expires. Valid options such as:
- 8h for 8 hours
- 1d for 1 day
- 30m for 30 minutes |
AUTH_JWT_CHALLENGE_EXPIRES_IN | 30m | How long should a challenge be valid before the challenge expires and is required again. Valid options such as:
- 8h for 8 hours
- 1d for 1 day
- 30m for 30 minutes |
AUTH_PUBLIC_KEY_PEM_BASE64 | - | The Base64 encoded public PEM file for more information on how to generate see the Adding Password Authentication section. |
AUTH_PRIVATE_KEY_PEM_BASE64 | - | The Base64 encoded private PEM file for more information on how to generate see the Adding Password Authentication section. |
AUTH_JWT_ALGORITHM | ES256 | This is the algorithm that is used by the JWT here is a list of supported options: https://github.com/auth0/node-jsonwebtoken#algorithms-supported |
AUTH_FORGOTTEN_PASSWORD_LINK_RATE_LIMIT | 4 | This is the number of forgotten password links that can be generated in the specified rate period. |
AUTH_FORGOTTEN_PASSWORD_LINK_RATE_PERIOD | 1d | This is the rate period which sets the time period, restricting the number of links that can be generated. |
AUTH_FORGOTTEN_PASSWORD_LINK_TTL | 15m | This specifies the time to live for the forgotten password link. The link will expire once the TTL elapses. |
AUTH_PATH | /auth | This is the base path used for all redirect links. For example the password reset link will be found at /auth/reset-password . |
AUTH_RESET_PASSWORD_PATH | /reset-password | The path that a user will be redirected to when clicking on a forgotten password link. |
AUTH_MAGIC_LINK_RATE_LIMIT | 5 | This sets the number of magic links that can be generated within the set period. |
AUTH_MAGIC_LINK_RATE_PERIOD | 1d | This sets the period that magic links can be generated. |
AUTH_MAGIC_LINK_TTL | 15m | This sets how long the magic link lasts for before it expires. |
AUTH_OTP_RATE_LIMIT | 10 | This sets the number of one time passwords that can be generated within the set period. |
AUTH_OTP_RATE_PERIOD | 1d | This sets the period that one time passwords can be generated. |
AUTH_OTP_TTL | 1m | This sets how long the one time password lasts before it expires. |
AUTH_PASSKEY_RELYING_PARTY_NAME | Graphweaver | This is the user visible name of the service requesting the Passkey. |
AUTH_PASSKEY_RELYING_PARTY_ID | localhost | This is the domain that is requesting the passkey |
AUTH_PASSKEY_ORIGIN | This is the expected origin that the passkey should have been generated on. |