Implementing the login Mutation
How to implement login functionality in GraphQL using cookies.
We'll cover the following...
So far, we’ve only done the prep work to implement authentication in our application. In this lesson, we’ll take the next step and implement the login mutation, which will receive users’ credentials, compare them to what we have in the database, and issue JWT tokens.
Since this will take some effort, we’ll focus on the login mutation in this lesson and leave the authorization and the logOut mutation for the next lesson.
Signing a JWT token
One question we haven’t talked about is, “Why is it safe to send a JWT token that contains information about any user?” After all, a JWT is self-contained and can include crucial data like user ID, user role, and permissions. So, why can’t someone change a JWT to impersonate another user or make oneself an admin?
To avoid this, we need to sign a JWT token using a cryptographic signature. A server should sign the JWT it creates and then check the signature on every incoming request to ensure that the token was issued by the server and wasn’t tampered with.
To sign a JWT token, we need to create a secret and use it to sign and verify the token’s signature.
// server/src/auth.jsconst JWT_SECRET = 'secret'module.exports = {JWT_SECRET}
In an actual application, we would need a more sophisticated solution involving a secrets manager, ...