fix: uses jwt token for authorization

backend/Dockerfile

@@ -1,4 +1,4 @@
-FROM hasura/graphql-engine:v1.3.0.cli-migrations-v2
+FROM hasura/graphql-engine:v1.3.1.cli-migrations-v2
 
 # # Copy migrations directory
 COPY ./migrations /hasura-migrations
@@ -19,8 +19,10 @@ ENV HASURA_GRAPHQL_CLI_ENVIRONMENT=default
 # https://github.com/hasura/graphql-engine/issues/5172#issuecomment-653774367
 ENV HASURA_GRAPHQL_MIGRATIONS_DATABASE_ENV_VAR=DATABASE_URL
 
+# Enable JWT
 ENV HASURA_GRAPHQL_JWT_SECRET=HASURA_GRAPHQL_JWT_SECRET
 
+# Secure the GraphQL endpoint
 ENV HASURA_GRAPHQL_ADMIN_SECRET=HASURA_GRAPHQL_ADMIN_SECRET
 
 CMD graphql-engine \

backend/docker-compose.yml

@@ -11,7 +11,7 @@ services:
     environment:
       DATABASE_URL: postgres://postgres:@db:5432/postgres
       HASURA_GRAPHQL_JWT_SECRET: '{"type":"RS256", "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0U3NR0eyMehHBlx6DK5s\nJ+Pys9dTWf558kpKVeQvL2oIZEY3LvS3/jdrIm/dU4WrIGPki1r/AWXQAyBZ2FKn\nZROcUWN0IqdmxrC5zTDymuscqhKXqxjSwrwOVWHc+zWWmXCQGmDdoCokXd9ZW66n\nA0BN66MdMC2+d5GrZdKUF305dpzTUdzDE12/XwOEUalCM0703eGu8zFwutLYc3+v\nf2CFOQ1z+rvDQD4N2aZABKTxZRtEkMHljnoyKlF9rljNzT/5N8YQE7qn4pBh6CMa\n1zcSilk9nhgl55n/Kjn2xMieWdIalaOEKw1LqqIjiT1ESkAKfPaIoSSnmTaYy78g\nbwIDAQAB\n-----END PUBLIC KEY-----\n"}'
-      HASURA_GRAPHQL_ADMIN_SECRET: "secret"
+      HASURA_GRAPHQL_ADMIN_SECRET: secret
       PORT: 8080
     ports:
       - "8080:8080"

backend/metadata/tables.yaml

@@ -16,10 +16,9 @@
   insert_permissions:
   - role: user
     permission:
-      check:
-        author_id:
-          _eq: X-Hasura-User-Id
+      check: {}
       columns:
+      - author_id
       - body
       backend_only: false
   select_permissions:

frontend/.env.example

@@ -1,10 +1,7 @@
 NEXT_PUBLIC_API_URL=http://localhost:8080/v1/graphql
 NEXT_PUBLIC_WS_URL=ws://localhost:8080/v1/graphql
-DATABASE_URL=postgres://postgres:@localhost:5432/postgres
-AUTH_PRIVATE_KEY=""
-AUTH_PUBLIC_KEY=""
-EMAIL_SERVER=""
-EMAIL_FROM=noreply@example.com
+NEXT_PUBLIC_DATABASE_URL=postgres://postgres:@localhost:5432/postgres
+AUTH_PRIVATE_KEY='{"type":"RS256", "key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA0U3NR0eyMehHBlx6DK5sJ+Pys9dTWf558kpKVeQvL2oIZEY3\nLvS3/jdrIm/dU4WrIGPki1r/AWXQAyBZ2FKnZROcUWN0IqdmxrC5zTDymuscqhKX\nqxjSwrwOVWHc+zWWmXCQGmDdoCokXd9ZW66nA0BN66MdMC2+d5GrZdKUF305dpzT\nUdzDE12/XwOEUalCM0703eGu8zFwutLYc3+vf2CFOQ1z+rvDQD4N2aZABKTxZRtE\nkMHljnoyKlF9rljNzT/5N8YQE7qn4pBh6CMa1zcSilk9nhgl55n/Kjn2xMieWdIa\nlaOEKw1LqqIjiT1ESkAKfPaIoSSnmTaYy78gbwIDAQABAoIBAF+3t+AYLqraMdj7\n46j2/2lCupR6LZkjYntmdBZRky6YzBunbMchjR9KEsmd5Na0c20NodAFHkdyWy2C\n1vOx4PG9hShHVi4e5kaJPX9UGi60xNgWRpwtbv01aUysw5VyjVvAeXZGxDPh8d2o\nLcJa3fADsV7IqqmE0ez2hi67nZQbkbEUbKs7aGfCE6srCfjCfOadfNnto9+7qDjJ\nnd4rK18H1rBSLTqj4T7wd1K8THgo25vjEuVRbGsEVrNB/B1Dz0pdOqhqukzixfcS\nVL/7uYDXehLasmUQu2VtMFsLqDpAbQgvpoNnzeZuB0WARvygSi/n4t+pCi84hXXe\na1m/01kCgYEA6+i5FwJAPxe2oCc0iignHjA20itTalyUhgJrLa8tTs721GJ3ku0A\n/EJVgmoNOLCQnZMldWvEDGmf6QuaWitq8ZWK/0BmHrEjbDA7m1fPdf3hrNx6eH/i\nazxjAoWA/u0yZg6QvUC7hSOO6WEpFYGuc2+/mHlnm5RLdL3QNIlHyyUCgYEA4yEI\n2deZ9MgmxbnFc76u7VhT1lc1MHpuAcDR3hqKT9xH2fTBaTDpVqeFbQJR5Hu+ZqgT\nL3+zV5kzIz3RaNMGN1IaxDEEx+tDnL9aw8sqawauWZtp7W2EeFvtP8uhHiBWpqVl\nvus6Gpl6hpNg6X96vHRcW+mB13I/h5YWA25EEwMCgYA5YbkrvJNuBVGZsQ+Zj1y8\nfhPHmVxH4c8KranuSc7mfXcSgAT/ywBTW7s65prisCfs/C6/WgAs2MBZykW4Kxlv\nO+W8Yqi0THgGR9En3vsKgz+ScWqkxs6HMQAQS/LtjzqUEnToY8d5AgYwBD8fCRUq\n5QKgjt9Bu5eDBOyQ6td4tQKBgBtDrOdRfTaoDBdyHGSvgBoXn0C8iTL/j1MAjXDG\n6NF7VNiyC8GP0ILJazfRrnjp7cou5Nav0pxyVHQniIq3wihD39irNbK16BDZ25Bj\nQ/1C+Qzing2VNvCnwEwHKpkOMrigZB1N6VSmFdIvwNNmrRoQMcIKvr5ZBY1GE/Bn\nfR53AoGBAIXaWIoDW5d9XwFa8HdxkgMPyLlizckZKyXASYEGWD2VU8P1NwA/bZ1t\nymioQPRJymTBfUL6E44Ebwx25DezjYEun1yqouZ+WZBlsEYtssffzTs2IocZ6aCN\nYfzt3orUEI/rWbRSqYFEuOntzzf3a7r3MtDU41e7iXcNkRSxCAIV\n-----END RSA PRIVATE KEY-----\n"}'
 NEXTAUTH_URL=http://localhost:3000
 GOOGLE_CLIENT_ID=""
 GOOGLE_CLIENT_SECRET=""

frontend/components/pages/feeds/add-new-feed-form.tsx

@@ -18,8 +18,8 @@ import { useSession } from "next-auth/client";
 import AccessDeniedIndicator from "components/access-denied-indicator";
 
 const insertFeedMutation = gql`
-  mutation insertFeed($userId: uuid!, $body: String) {
-    insert_feeds_one(object: { author_id: $userId, body: $body }) {
+  mutation insertFeed($author_id: uuid!, $body: String) {
+    insert_feeds_one(object: { author_id: $author_id, body: $body }) {
       id
     }
   }
@@ -45,7 +45,7 @@ const AddNewFeedForm = () => {
 
   const handleSubmit = async () => {
     await insertFeed({
-      userId: session.id,
+      author_id: session.id,
       body,
     });
 

frontend/components/pages/my-account/index.tsx

@@ -101,10 +101,7 @@ const MyAccountPageComponent = () => {
     <Stack spacing={4}>
       <Heading color={color[colorMode]}>My Account</Heading>
       {errorNode()}
-      <Grid
-        templateColumns={["repeat(1, 1fr)", "repeat(1, 1fr)", "repeat(2, 1fr)"]}
-        gap={4}
-      >
+      <Grid templateColumns="repeat(1, 1fr)" gap={4}>
         <Box
           p={4}
           bg={bgColor[colorMode]}

frontend/lib/with-graphql.tsx

@@ -12,15 +12,14 @@ const WithGraphQL = ({
   session: session;
   children: ReactNode;
 }) => {
-  const userIdInString =
-    "Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUwMzFjMWNiLTZiNDItNDM3MS04NjYyLTA2MTNjOGIxM2Y2ZCIsIm5hbWUiOiJOaXJtYWx5YSBHaG9zaCIsImVtYWlsIjoibmlybWFseWEuZ2hvc2hAYW90LmVkdS5pbiIsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vYS0vQU9oMTRHakVmTGVJMWU5TVUwN0oxX0NQY0lWZTB1M2dUZFBiTDMwbGx0VHAiLCJodHRwczovL2hhc3VyYS5pby9qd3QvY2xhaW1zIjp7IngtaGFzdXJhLWFsbG93ZWQtcm9sZXMiOlsiYWRtaW4iLCJ1c2VyIl0sIngtaGFzdXJhLWRlZmF1bHQtcm9sZSI6InVzZXIiLCJ4LWhhc3VyYS1yb2xlIjoidXNlciIsIngtaGFzdXJhLXVzZXItaWQiOiI1MDMxYzFjYi02YjQyLTQzNzEtODY2Mi0wNjEzYzhiMTNmNmQifSwiaWF0IjoxNTk4MzQzMjAzLjE3MiwiZXhwIjoxNTk4NDI5NjAzLCJzdWIiOiI1MDMxYzFjYi02YjQyLTQzNzEtODY2Mi0wNjEzYzhiMTNmNmQifQ.v4U72YmlDDpYQ6J9bpTtdwHGI8mvRMIcvRl1SmlIPDQ22CXB4iUw_ENut0xLdnYyWCzV91QjQTZtkpxfoTEWs3kxsVvxeZLYMpvlnd61WVA0dVOOVbgtWHXpGVkHBlRITiw4TVGlDpbxFcaeM2dUV2kCF52BI45gxnPF40BCHKKe3MvhdQbYunQP_dCn65Zb6efKyjLri_BQw7hcBjSCrkAokWg8219KH3VfrNl-E6HVFADhq3P2aVUzSCoEKKpNvEyo81jUTpF-3avpffiJN-LDuy_nTdJmxMUoV4CjQbBfJdneFYVKKazKuS0XFzL2ZJ6ODZsK-p4IeGgiBhoy9A";
+  const token = `Bearer ${session.token}`;
 
   const subscriptionClient = new SubscriptionClient(
     process.env.NEXT_PUBLIC_WS_URL || "ws://localhost:8080/v1/graphql",
     {
       reconnect: true,
       connectionParams: {
-        headers: { Authorization: userIdInString },
+        headers: { Authorization: token },
       },
     },
     ws
@@ -30,7 +29,7 @@ const WithGraphQL = ({
     url: process.env.NEXT_PUBLIC_API_URL || "http://localhost:8080/v1/graphql",
     fetch,
     fetchOptions: {
-      headers: { Authorization: userIdInString },
+      headers: { Authorization: token },
     },
     requestPolicy: "cache-and-network",
     exchanges: [

frontend/pages/api/auth/[...nextauth].ts

@@ -6,12 +6,10 @@ import ISession from "types/session";
 import IUser from "types/user";
 import iToken from "types/token";
 
+const jwtSecret = JSON.parse(process.env.AUTH_PRIVATE_KEY);
+
 const options = {
   providers: [
-    Providers.Email({
-      server: process.env.EMAIL_SERVER,
-      from: process.env.EMAIL_FROM,
-    }),
     Providers.Google({
       clientId: process.env.GOOGLE_CLIENT_ID,
       clientSecret: process.env.GOOGLE_CLIENT_SECRET,
@@ -39,42 +37,33 @@ const options = {
         sub: token.id,
       };
 
-      const signOptions = {
-        algorithm: "RS256",
-      };
-
-      const encodedToken = jwt.sign(
-        tokenContents,
-        process.env.AUTH_PRIVATE_KEY.replace(/\\n/gm, "\n") || secret,
-        // @ts-ignore
-        signOptions
-      );
+      const encodedToken = jwt.sign(tokenContents, jwtSecret.key, {
+        algorithm: jwtSecret.type,
+      });
 
       return encodedToken;
     },
     decode: async ({ token, secret }: { token: string; secret: string }) => {
-      const signOptions = {
-        algorithms: ["RS256"],
-      };
-
-      const decodedToken = jwt.verify(
-        token,
-        process.env.AUTH_PRIVATE_KEY.replace(/\\n/gm, "\n") || secret,
-        // @ts-ignore
-        signOptions
-      );
+      const decodedToken = jwt.verify(token, jwtSecret.key, {
+        algorithms: jwtSecret.type,
+      });
 
       return decodedToken;
     },
   },
   debug: true,
   callbacks: {
     session: async (session: ISession, user: IUser) => {
+      const encodedToken = jwt.sign(user, jwtSecret.key, {
+        algorithm: jwtSecret.type,
+      });
+
       session.id = user.id;
+      session.token = encodedToken;
 
       return Promise.resolve(session);
     },
-    jwt: async (token: iToken, user: IUser) => {
+    jwt: async (token: iToken, user: IUser, account, profile, isNewUser) => {
       const isSignIn = user ? true : false;
 
       if (isSignIn) {

frontend/types/session.ts

@@ -6,4 +6,5 @@ export default interface ISession {
   };
   id: number;
   expires: string;
+  token: string;
 }