One of most common layers in web applications is authentication system, our app is no exception. For authentication we are going to use jwt tokens as our way to authentication users, lets see how it works.
JWT or Json Web Token is a string containing a hash that helps us verify who is using application. Every token is constructed of 3 parts like
xxxxx.yyyyy.zzzzz and name of these parts are: Header, Payload and Signature. Explanation about these parts are more about JWT than our application you can read more about them here.
whenever a user login to an app server generates a token for user, Usually server saves some information like username about the user in token to be able to recognize the user later using that token.This tokens get signed by a key so only the issuer app can reopen the token.
We are going to implement this behavior in our app.
In our app we need to be able to generate a token for users when they sign up or login and a middleware to authenticate users by the given token, then in our views we can know the user interacting with app. We will be using
github.com/dgrijalva/jwt-go library to generate and prase JWT tokens.
We create a new directory pkg in the root of our application, you have seen that we used internal for what we want to only be internally used withing our app, pkg directory is for files that we don’t mind if some outer code imports it into itself and generation and validation jwt tokens are this kinds of code. There is a concept named claims it’s not only limited to JWT We’ll see more about it in rest of the section.
Let’s talk about what above code does:
Til now we can generate a token for each user but before generating token for every user, we need to assure user exists in our database. Simply we need to query database to match the user with given username and password. Another thing is when a user tries to register we insert username and password in our database.
The Create function is much like the CreateLink function we saw earlier but let’s break down the Authenticate code:
QueryRow()will return a pointer to a
.Scanmethod we fill the hashedPassword variable with the hashed password from database. Obviously you don’t want to save raw passwords in your database.
false, and if we found any we check the user hashedPassword with the raw password given.(Notice that we save hashed passwords not raw passwords in database in line 23)
In the next part we set the tools we have together to detect the user that is using the app.
Every time a request comes to our resolver before sending it to resolver we want to recognize the user sending request, for this purpose we have to write a code before every resolver, but using middleware we can have a auth middleware that executes before request send to resolver and does the authentication process. to read more about middlewares visit.
We use this function to get user object with username in authentication middeware.
And now let’s create our auth middleware, for more information visit gql authentication docs.
Now we use the middleware we declared in our server: