Authentication with Session / User instead of api key

[Graphicscore]

Hi, I was wondering if there is any support for authenticating GraphQL / Webservice queries with a pimcore user / session. I don't want to use a static api key but would like to use some sort of session tokens that will be acquired through a login.

Did I miss something or is there a trick ? 😄

[julkue]

Related to: #156

[solverat]

Using sessions can be a real performance killer. Using something like JWT should be the better approach while working with api frameworks right?

[Graphicscore]

@solverat I would be fine with using JWT. I would like to restrict access to certain parts of the API and/or return data based on who is doing the request. For example having multiple users with different usergroups and return different data depending on which usergroup they have. Is there something like this planned or is there some documentation on how I would do that ?

[julkue]

@Graphicscore I love that someone brings this up. I've already asked for this on the last Pimcore conference.

I agree, would be great to consider personalized content in this regard too. DataHub should step by step offer all of the Pimcore specific features (also e.g. Tag & Snippet Management, etc.) in the GraphQl API too.

[rajesh17692]

For this, you can override GraphQL WebserviceController and in that, you can add extra security check-in performSecurityCheck function like below

$apiKey = $request->headers->get('X-Api-Key'); $token = $request->headers->get('token'); $userObj = User::getByUserToken($token,1); if ($apiKey === $securityConfig['apikey']) { if ($userObj) { if($userObj->getUserToken() === $token){ return; }else { throw new AccessDeniedHttpException('invalid token'); } } else { throw new AccessDeniedHttpException('invalid token'); } }else{ $apiKey = $request->get('apikey'); if ($apiKey === $securityConfig['apikey']) { return; } }

[pimcoremohit31]

@rajesh17692 have you integrated JWT with Graph-Ql in Pimcore?

[rajesh17692]

Yes

[pimcoremohit31]

@rajesh17692 That's great... I am also using JWT with Graph-Ql and I want to authenticate with JWT. Can you help me if you can provide me the configuration code? Actually, I have used your code in my code but I am not able to call this code $userObj = User::getByUserToken($token,1);. I mean how I will get the token from User class? Can you please explain in detail? Thank you in advance.

[rajesh17692]

@pimcoremohit31 I am storing token of user with data when the user trying to log in so with the next request we can compare. token.

[pimcoremohit31]

@rajesh17692 Okay, Then how you are handling the expiring time for the token?

[rajesh17692]

@pimcoremohit31 sorry I am using below token generation method

Csrf\TokenGenerator\UriSafeTokenGenerator();

[pimcoremohit31]

@rajesh17692 Okay. So, you are not using the JWT bundle?

[rajesh17692]

No. You can user JWT instead and to validate the token with every request you can create helper function and validate after geting data from user account

[pimcoremohit31]

Okay..Thank you @rajesh17692 for you help.

[github-actions[bot]]

Thanks a lot for reporting the issue. We did not consider the issue as "Pimcore:Priority", "Pimcore:ToDo" or "Pimcore:Backlog", so we're not going to work on that anytime soon. Please create a pull request to fix the issue if this is a bug report. We'll then review it as quickly as possible. If you're interested in contributing a feature, please contact us first here before creating a pull request. We'll then decide whether we'd accept it or not. Thanks for your understanding.