I’ve been spending some of the Coronatime working on side projects, and recently got the chance to build something using PostGraphile.*
User auth is always an important concern and lately I’ve been curious to try New Things in this area. Having noticed people asking for refresh_token support, and seen plenty of sometimes acrimonious debate on the merits of traditional session vs JWT-based auth, I thought to myself, ‘self, enough opinions. Let’s build stateless auth ourselves & see what all the fuss is about!’
So that’s what this is: the result of my path to building so-called ‘stateless sessions’ and the open sourcing of my “learning by building.” I take no position on if you should use this, but it’s been working well for my needs.
A lot of attention has gone into the details on this to arrange what I’d consider an appropriate balance of security and convenience, and maybe, just maybe my needs overlap with yours.
- need to authenticate incoming HTTP requests but don’t want to hit your database/Redis every time
- are willing to trade
access_tokenfetches in return for tokens living 100% in the user agent, perhaps because you
- don’t want to maintain your own Redis instance
- prefer a frontend that avoids storing tokens in local storage
access_tokenlifetimes of 15 minutes (adjustable)
- prefer to use
- otherwise care about security best practices
…then this project, which aims to adopt a “strong but stateless” auth stance, may be interesting.
Those of you who prefer Apollo Server: I’ve got you covered too.
If enough people like this I’ll consider publishing to NPM. Until then I’d be curious to know what you think!
Thanks to the clever people who came before me, including contributors to the OAuth spec, Ben Awad, @newsiberian for accepting my PR.
* Postgraphile offers a pretty slick way to easily stand up a reasonably decent GraphQL API based on reflecting your Postgres database & schema. Relay support and other batteries included.