feat: add cookie-based authentication support#663
Draft
pyramation wants to merge 5 commits intomainfrom
Draft
Conversation
- Add SuperTestAdapter to graphql-server-test for HTTP testing with cookie support - Add enableCookieAuth flag to ApiOptions (defaults to false for backward compatibility) - Implement cookie auth middleware in graphql-server - Add cookie-parser middleware to server - Cookie auth checks for 'session' cookie and validates against session_credentials When enableCookieAuth is true, the server will: 1. First check for a session cookie 2. Fall back to Bearer token authentication 3. Maintain backward compatibility when disabled
Contributor
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
- Add authSettingsCache to cache auth settings per service key - Query enable_cookie_auth from constructive_auth_private.auth_settings() - Remove static enableCookieAuth from ApiOptions - Settings are loaded once per database/API and cached for 1 hour
- Use rlsModule.privateSchema.schemaName instead of hardcoded schema - Fetch all app_auth_settings properties (CSRF, session durations, etc.) - Add DEFAULT_AUTH_SETTINGS constant for fallback values
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
feat: add cookie-based authentication support
Summary
This PR adds optional cookie-based authentication to the GraphQL server, with settings loaded dynamically from the database rather than static configuration.
Key changes:
graphql-server-test): New adapter that wraps SuperTest for HTTP-based testing with automatic cookie jar support, enabling SDK-based cookie auth testinggraphql-server): Auth middleware queriesauth_settings()from the RLS module's private schema to determine if cookie auth is enabled, with results cached per service key for 1 hourauthSettingsCacheusing LRUCache to avoid per-request database queriesWhen cookie auth is enabled in the database, the auth flow is:
sessioncookie → validate via existingauthFnenable_cookie_authis false or query fails, only Bearer token auth is usedUpdates since last revision
rlsModule.privateSchema.schemaNameinstead of hardcodingconstructive_auth_private- same pattern as theauthenticatefunctionAuthSettingsinterface now includes allapp_auth_settingscolumns (CSRF, session durations, password policies, etc.) for future useDEFAULT_AUTH_SETTINGSconstant with sensible fallback valuesenable_cookie_authcolumn toapp_auth_settingstableReview & Testing Checklist for Human
enable_cookie_authcolumn. The server will gracefully default tofalseif the column doesn't exist, but cookie auth won't work.auth_settings()function exists: The middleware queries"${privateSchemaName}".auth_settings()- confirm this function exists in the RLS module's private schema and returns the expected columnsSESSION_COOKIE_NAME = 'session'is hardcoded - confirm this matches expected cookie name in constructive-dbRecommended test plan:
enable_cookie_auth = trueinapp_auth_settingsfor a test databasepnpm linkenable_cookie_auth = falseNotes
auth_settings()query fails (e.g., function doesn't exist), the middleware logs a debug message and defaults toenableCookieAuth: falseenableCookieAuthis currently used - others are available for future middleware enhancementsbuildContextlogic between auth.ts and graphile.ts that could be extracted to a shared utility in a follow-upLink to Devin run: https://app.devin.ai/sessions/15f2361412c346e6af808078720ad575
Requested by: Dan Lynch (@pyramation)