One of the most common layers in a web applications is the authentication layer. Our app is no exception. For authentication, we are going to use JWT tokens as the way to authenticate users. Let’s see how it works.
JWT or Json Web Token is a string containing a hash that helps us authenticate users. Every token is constructed of 3 parts, like
xxxxx.yyyyy.zzzzz. These three parts are: Header, Payload, and Signature. We won’t go into these three parts, because this is more about JWT and less about our application. You can read more about this here.
Whenever a user logs in into our application, the server generates a token. Usually, the server includes information, like the username, in the token to be able to recognize the user later on. These tokens get signed by a secret key, so only the issuer (our application) can read the contents of the token.
We are going to implement this behavior in our application.
In our app, we need to be able to generate a token for users when they sign up or login. We also need to create some middleware to authenticate users by the given token, so we know who’s connected to our server. We will be using the
github.com/dgrijalva/jwt-go library to generate and parse JWT tokens.
We’ll create a new directory called
pkg in the root of our application. You have seen that we’ve used
internal for what we want to only be internally used within our app. The
pkg directory is for files that could be imported anywhere in our application. JWT generation and validation scripts files like this.
There is a concept called “claims”. We’ll see more about it in rest of the section.
Let’s talk about what the code above does:
Now we can generate a token for each user. Before generating a token for every user, we need to make sure the user exists in our database. To do this, we just need to query the database to match the user with the given username and password. When a user tries to register we need to insert the username and password in our database.
The Create function is much like the CreateLink function we saw earlier. Let’s break down the Authenticate code:
QueryRow()will return a pointer to a
.Scanmethod we fill the hashedPassword variable with the hashed password from database. Obviously you don’t want to save raw passwords in your database.
false. If we found a match, we check the user hashedPassword with the raw password given.(Notice that we save hashed passwords not raw passwords in database in line 23)
In the next part, we gather the tools we have to detect which user is using the app.
Every time a request comes to our resolver, we need to know which user is sending the request. To accomplish this, we have to write middleware that’s executed before the request reaches the resolver. This middleware resolves the user from the incoming request and passes this on to the resolver.
We use this function to get user object with username in the authentication middeware.
And now let’s create our auth middleware. For more information visit gql authentication docs.
Now we can use the middleware we created in our server: