Skip to content

How to authenticate using GraphQL Cookies and JWT

An authentication process example for a GraphQL API powered by Apollo, using Cookies and JWT

In this tutorial I’ll explain how to handle a login mechanism for a GraphQL API using Apollo.

We’ll create a private area that depending on your user login will display different information.

In detail, these are the steps:

The code for this tutorial is available on GitHub at https://github.com/flaviocopes/apollo-graphql-client-server-authentication-jwt

Let’s start.

WARNING! This tutorials is old. Apollo is now using @apollo/xxx rather than apollo-xxx, do your research until I update it :)

I start up the client application

Let’s create the client side part using create-react-app, run npx create-react-app client in an empty folder.

Then call cd client and npm install all the things we’ll need so that we don’t need to go back later:

npm install apollo-client apollo-boost apollo-link-http apollo-cache-inmemory react-apollo apollo-link-context @reach/router js-cookie graphql-tag

The login form

Let’s start by creating the login form.

Create a Form.js file in the src folder, and add this content into it:

import React, { useState } from 'react'
import { navigate } from '@reach/router'

const url = 'http://localhost:3000/login'

const Form = () => {
  const [email, setEmail] = useState('')
  const [password, setPassword] = useState('')

  const submitForm = event => {
    event.preventDefault()

    const options = {
      method: 'post',
      headers: {
        'Content-type': 'application/x-www-form-urlencoded; charset=UTF-8'
      },
      body: `email=${email}&password=${password}`
    }

    fetch(url, options)
    .then(response => {
      if (!response.ok) {
        if (response.status === 404) {
          alert('Email not found, please retry')
        }
        if (response.status === 401) {
          alert('Email and password do not match, please retry')
        }
      }
      return response
    })
    .then(response => response.json())
    .then(data => {
      if (data.success) {
        document.cookie = 'token=' + data.token
        navigate('/private-area')
      }
    })
  }

  return (
    <div>
      <form onSubmit={submitForm}>
        <p>Email: <input type="text" onChange={event => setEmail(event.target.value)} /></p>
        <p>Password: <input type="password" onChange={event => setPassword(event.target.value)} /></p>
        <p><button type="submit">Login</button></p>
      </form>
    </div>
  )
}

export default Form

Here I assume the server will run on localhost, on the HTTP protocol, on port 3000.

I use React Hooks, and the Reach Router. There’s no Apollo code here. Just a form and some code to register a new cookie when we get successfully authenticated.

Using the Fetch API, when the form is sent by the user I contact the server on the /login REST endpoint with a POST request.

When the server will confirm we are logged in, it will store the JWT token into a cookie, and it will navigate to the /private-area URL, which we haven’t built yet.

Add the form to the app

Let’s edit the index.js file of the app to use this component:

import React from 'react'
import ReactDOM from 'react-dom'
import { Router } from '@reach/router'
import Form from './Form'

ReactDOM.render(
  <Router>
    <Form path="/" />
  </Router>
  document.getElementById('root')
)

The server side

Let’s switch server-side.

Create a server folder and run npm init -y to create a ready-to-go package.json file.

Now run

npm install express apollo-server-express cors bcrypt jsonwebtoken

Next, create an app.js file.

In here, we’re going to first handle the login process.

Let’s create some dummy data. One user:

const users = [{
  id: 1,
  name: 'Test user',
  email: '[email protected]',
  password: '$2b$10$ahs7h0hNH8ffAVg6PwgovO3AVzn1izNFHn.su9gcJnUWUzb2Rcb2W' // = ssseeeecrreeet
}]

and some TODO items:

const todos = [
  {
    id: 1,
    user: 1,
    name: 'Do something'
  },
  {
    id: 2,
    user: 1,
    name: 'Do something else'
  },
  {
    id: 3,
    user: 2,
    name: 'Remember the milk'
  }
]

The first 2 of them are assigned to the user we just defined. The third item belongs to another user. Our goal is to log in the user, and show only the TODO items belonging to them.

The password hash, for the sake of the example, was generated by me manually using bcrypt.hash() and corresponds to the ssseeeecrreeet string. More info on bcrypt here. In practice you’ll store users and todos in a database, and password hashes are created automatically when users register.

Handle the login process

Now, I want to handle the login process.

I load a bunch of libraries we’re going to use, and initialize Express to use CORS, so we can use it from our client app (as it’s on another port), and I add the middleware that parses urlencoded data:

const express = require('express')
const cors = require('cors')
const bcrypt = require('bcrypt')
const jwt = require('jsonwebtoken')
const app = express()
app.use(cors())
app.use(express.urlencoded({
  extended: true
}))

Next I define a SECRET_KEY we’ll use for the JWT signing, and I define the /login POST endpoint handler. There’s an async keyword because we’re going to use await in the code. I extract the email and password fields from the request body, and I lookup the user in our users “database”.

If the user is not found by its email I send an error message back.

Next, I check if the password does not match the hash we have, and send an error message back if so.

If all goes well, I generate the token using the jwt.sign() call, passing the email and id as user data, and I send it to the client as part of the response.

Here’s the code:

const SECRET_KEY = 'secret!'

app.post('/login', async (req, res) => {
  const { email, password } = req.body
  const theUser = users.find(user => user.email === email)

  if (!theUser) {
    res.status(404).send({
      success: false,
      message: `Could not find account: ${email}`,
    })
    return
  }

  const match = await bcrypt.compare(password, theUser.password)
  if (!match) {
    //return error to user to let them know the password is incorrect
    res.status(401).send({
      success: false,
      message: 'Incorrect credentials',
    })
    return
  }

  const token = jwt.sign(
    { email: theUser.email, id: theUser.id },
    SECRET_KEY,
  )

  res.send({
    success: true,
    token: token,
  })
})

I can now start the Express app:

app.listen(3000, () =>
  console.log('Server listening on port 3000')
)

The private area

At this point client-side I add the token to the cookies and moves to the /private-area URL.

What’s in that URL? Nothing! Let’s add a component to handle that, in src/PrivateArea.js:

import React from 'react'

const PrivateArea = () => {
  return (
    <div>
      Private area!
    </div>
  )
}

export default PrivateArea

In index.js, we can add this to the app:

import React from 'react'
import ReactDOM from 'react-dom'
import { Router } from '@reach/router'
import Form from './Form'
import PrivateArea from './PrivateArea'

ReactDOM.render(
  <Router>
    <Form path="/" />
    <PrivateArea path="/private-area" />
  </Router>
  document.getElementById('root')
)

I use the nice js-cookie library to work easily with cookies. Using it I check if there’s the token in the cookies. If not, just go back to the login form:

import React from 'react'
import Cookies from 'js-cookie'
import { navigate } from '@reach/router'

const PrivateArea = () => {
  if (!Cookies.get('token')) {
    navigate('/')
  }

  return (
    <div>
      Private area!
    </div>
  )
}

export default PrivateArea

Now in theory we’re all good to go and use the GraphQL API! But we have no such thing yet. Let’s make that thing.

The GraphQL API

Server-side I do everything in a single file. It’s not that big, as we have little things in place.

I add this to the top of the file:

const {
  ApolloServer,
  gql,
  AuthenticationError,
} = require('apollo-server-express')

which gives us all we need to make the Apollo GraphQL server.

I need to define 3 things:

Here’s the schema. I define the User type, which represents what we have in our users object. Then the Todo type, and finally the Query type, which sets what we can directly query: the list of todos.

const typeDefs = gql`
  type User {
    id: ID!
    email: String!
    name: String!
    password: String!
  }

  type Todo {
    id: ID!
    user: Int!
    name: String!
  }

  type Query {
    todos: [Todo]
  }
`

The Query type has one entry, and we need to define a resolver for it. Here it is:

const resolvers = {
  Query: {
    todos: (root, args) => {
      return todos.filter(todo => todo.user === id)
    }
  }
}

Then the context, where we basically verify the token and error out if invalid, and we get the id and email values from it. This is how we know who is talking to the API:

const context = ({ req }) => {
  const token = req.headers.authorization || ''

  try {
    return { id, email } = jwt.verify(token.split(' ')[1], SECRET_KEY)
  } catch (e) {
    throw new AuthenticationError(
      'Authentication token is invalid, please log in',
    )
  }
}

The id and email values are now available inside our resolver(s). That’s where the id value we use above comes from.

We need to add Apollo to Express as a middleware now, and the server side part is finished!

const server = new ApolloServer({ typeDefs, resolvers, context })
server.applyMiddleware({ app })

The Apollo Client

We are ready to initialize our Apollo Client now!

In the client-side index.js file I add those libraries:

import { ApolloClient } from 'apollo-client'
import { createHttpLink } from 'apollo-link-http'
import { InMemoryCache } from 'apollo-cache-inmemory'
import { ApolloProvider } from 'react-apollo'
import { setContext } from 'apollo-link-context'
import { navigate } from '@reach/router'
import Cookies from 'js-cookie'
import gql from 'graphql-tag'

I initialize an HttpLink object that points to the GraphQL API server, listening on port 3000 of localhost, on the /graphql endpoint, and use that to set up the ApolloClient object.

An HttpLink provides us a way to describe how we want to get the result of a GraphQL operation, and what we want to do with the response.

const httpLink = createHttpLink({ uri: 'http://localhost:3000/graphql' })

const authLink = setContext((_, { headers }) => {
  const token = Cookies.get('token')

  return {
    headers: {
      ...headers,
      authorization: `Bearer ${token}`
    }
  }
})

const client = new ApolloClient({
  link: authLink.concat(httpLink),
  cache: new InMemoryCache()
})

If we have a token I navigate to the private area:

if (Cookies.get('token')) {
  navigate('/private-area')
}

and finally I use the ApolloProvider component we imported as a parent component and wrap everything in the app we defined. In this way we can access the client object in any of our child components. In particular the PrivateArea one, very soon!

ReactDOM.render(
  <ApolloProvider client={client}>
    <Router>
      <Form path="/" />
      <PrivateArea path="/private-area" />
    </Router>
  </ApolloProvider>,
  document.getElementById('root')
)

The private area

So we’re at the last step. Now we can finally perform our GraphQL query!

Here’s what we have now:

import React from 'react'
import Cookies from 'js-cookie'
import { navigate } from '@reach/router'

const PrivateArea = () => {
  if (!Cookies.get('token')) {
    navigate('/')
  }

  return (
    <div>
      Private area!
    </div>
  )
}

export default PrivateArea

I’m going to import these 2 items from Apollo:

import { gql } from 'apollo-boost'
import { Query } from 'react-apollo'

and instead of

  return (
    <div>
      Private area!
    </div>
  )

I’m going to use the Query component and pass a GraphQL query. Inside the component body we pass a function that takes an object with 3 properties: loading, error and data.

While the data is not available yet, loading is true and we can add a message to the user. If there’s any error we’ll get it back, but otherwise we’ll get our TO-DO items in the data object and we can iterate over them to render our items to the user!

  return (
    <div>
      <Query
        query={gql`
          {
            todos {
              id
              name
            }
          }
        `}
      >
        {({ loading, error, data }) => {
          if (loading) return <p>Loading...</p>
          if (error) {
            navigate('/')
            return <p></p>
          }
          return <ul>{data.todos.map(item => <li key={item.id}>{item.name}</li>)}</ul>
        }}
      </Query>
    </div>
  )

Now that things are working, I want to change a little bit how the code works and add the use of HTTPOnly cookies. This special kind of cookie is more secure because we can’t access it using JavaScript, and as such it can’t be stolen by 3rd part scripts and used as a target for attacks.

Things are a bit more complex now so I added this at the bottom.

All the code is available on GitHub at https://github.com/flaviocopes/apollo-graphql-client-server-authentication-jwt and all I described up to now is available in this commit.

The code for this last part is available in this separate commit.

First, in the client, in Form.js, instead of adding the token to a cookie, I add a signedin cookie.

Remove this

document.cookie = 'token=' + data.token

and add

document.cookie = 'signedin=true'

Next, in the fetch options we must add

credentials: 'include'

otherwise fetch won’t store in the browser the cookies it gets back from the server.

Now in the PrivateArea.js file we don’t check for the token cookie, but for the signedin cookie:

Remove

if (!Cookies.get('token')) {

and add

if (!Cookies.get('signedin')) {

Let’s go to the server part.

First install the cookie-parser library with npm install cookie-parser and instead of sending back the token to the client:

res.send({
  success: true,
  token: token,
})

Only send this:

res.send({
  success: true
})

We send the JWT token to the user as an HTTPOnly cookie:

res.cookie('jwt', token, {
  httpOnly: true
  //secure: true, //on HTTPS
  //domain: 'example.com', //set your domain
})

(in production set the secure option on HTTPS and also the domain)

Next we need to set the CORS middleware to use cookies, too. Otherwise things will break very soon when we manage the GraphQL data, as cookies just disappear.

Change

app.use(cors())

with

const corsOptions = {
  origin: 'http://localhost:3001', //change with your own client URL
  credentials: true
}


app.use(cors(corsOptions))
app.use(cookieParser())

Back to the client, in index.js we tell Apollo Client to include credentials (cookies) in its requests. Switch:

const httpLink = createHttpLink({ uri: 'http://localhost:3000/graphql' })

with

const httpLink = createHttpLink({ uri: 'http://localhost:3000/graphql', credentials: 'include' })

and remove the authLink definition altogether:

const authLink = setContext((_, { headers }) => {
  const token = Cookies.get('token')

  return {
    headers: {
      ...headers,
      authorization: `Bearer ${token}`
    }
  }
})

as we don’t need it any more. We’ll just pass httpLink to new ApolloClient(), since we don’t need more customized authentication stuff:

const client = new ApolloClient({
  link: httpLink,
  cache: new InMemoryCache()
})

Back to the server for the last piece of the puzzle! Open index.js and in the context function definition, change

const token = req.headers.authorization || ''

with

const token = req.cookies['jwt'] || ''

and disable the Apollo Server built-in CORS handling, since it overwrites the one we already did in Express, change:

const server = new ApolloServer({ typeDefs, resolvers, context })
server.applyMiddleware({ app })

to

const server = new ApolloServer({ typeDefs, resolvers, context,
  cors: false })
server.applyMiddleware({ app, cors: false })

Here is how can I help you: