Authentication

Creating Users

So far you’ve been working only with the Link type, but it’s time to include User as well so that the app can show who posted a link and who voted on it.

You’ll need some registered users for this, so start by implementing the mutation for creating them.

This generates a user.rb file in app/models.

Now we have users, which are required to have name and email.

They also have a secure password. But in order for has_secure_password, bcrypt gem. It used encrypting and verifying user passwords.

Now when we have our user model and its GraphQL type. We need a way to create users. Users would be created by name, email and password.

Now, you can create a new user using GraphiQL:

Sign in Mutation

Now that you have users, how would you sign them in using GraphQL? With a new mutation, of course! Mutations are a way for the client to talk to the server whenever it needs an operation that isn’t just about fetching data.

For this first time signing users in through GraphQL you’ll be using a simple email/password login method, returning a token that can be used in subsequent requests for authentication.

Note that this is NOT supposed to be a production-ready authentication feature, but just a small functioning prototype to show the basic concept. In a real app, you should make sure to encrypt passwords properly before passing them around and use a good token generation method, such as JWT.

Again, the workflow for adding this mutation will be very similar to the ones we’ve done before:

Now, you can get the token by using GraphiQL:

Authenticating requests

With the token that the signinUser mutation provides, apps can authenticate subsequent requests. There are couple of ways this can be done. In this tutorial we are just going to use the built-in session, since this doesn’t add any requirements to the client application. The GraphQL server should be able to get the token from the session header on each request, detect what user it relates to, and pass this information down to the resolvers.

The best place to put data shared between resolvers is in the context object. You’ll need that object to be different in every request now though, since each one may be from a different user.

This is pretty straightforward since the generated token is so simple. Like was said before, make sure to check out a different token method out there when building a real world application though, such as JWT.

Linking User to Created Links

Your server can now detect the user that triggered each GraphQL request. This could be useful in many situations. For example, the authenticated user should be exactly the one that posted a link being created with the createLink mutation. You can now store this information for each link.

First run rails generate migration add_user_id_link.

It generates a database migration.

Done! Now when you post links, they will be attached to your user, so you have to run signinUser beforehand.

Next Chapter

Connecting Nodes

Learn best practices for implementing advanced GraphQL mutations with Ruby and graphql-ruby. You can test your implementation in a GraphiQL Playground.

Go to next chapter