Authentication

Neo4j GraphQL will expect there to be an authorization header in the request object, which means you can authenticate users however you like. You could; Have a custom sign-in mutation, integrate with Auth0, or roll your own SSO server. The point here is that it’s just a JWT, in the library, we will decode it to make sure it’s valid - but it’s down to you to issue tokens.

1. OGM

Here we will use the OGM to set up a hypothetical sign-in flow;

const { Neo4jGraphQL } = require("@neo4j-graphql");
const { createJWT, comparePassword } = require("./utils"); // example
const { ApolloServer } = require("apollo-server");
const { OGM } = require("@neo4j-graphql-ogm");

const typeDefs = `
    type User {
        id: ID @id
        email: String!
        password: String!
    }

    type Mutation {
        signIn(email: String!, password: String!): String ## token
    }
`;

const driver = neo4j.driver("bolt://localhost:7687", neo4j.auth.basic("admin", "password"));

const ogm = new OGM({
    typeDefs,
    driver,
});

const User = ogm.model("User");

const resolvers = {
    Mutation: {
        async signIn(root, { email, password }) {
            const [existing] = await User.find({
                where: {
                    email,
                },
            });

            if (!existing) {
                throw new Error("not found");
            }

            const equal = await comparePassword(password, existing.password);
            if (!equal) {
                throw new Error("bad password");
            }

            return createJWT({
                sub: user.id,
            });
        },
    },
};

const neoSchema = new Neo4jGraphQL({
    typeDefs,
    resolvers,
    driver,
    config: {
        jwt: {
            secret
        }
    }
});

const server = new ApolloServer({
    schema: neoSchema.schema,
    context: ({ req }) => ({ req }),
});

server.listen(4000).then(() => console.log("online"));

2. isAuthenticated

This is the most basic of auth. Used to ensure that there is a valid decoded JWT in the request. The most basic of applications could look something like this;

type Todo {
    id: ID
    title: String
}

extend type Todo @auth(rules: [{ isAuthenticated: true }])