{"id":17343421,"url":"https://github.com/firesphere/silverstripe-graphql-jwt","last_synced_at":"2025-07-18T16:02:47.980Z","repository":{"id":47165426,"uuid":"95748605","full_name":"Firesphere/silverstripe-graphql-jwt","owner":"Firesphere","description":"JWT Authentication for GraphQL","archived":false,"fork":false,"pushed_at":"2023-10-29T00:54:16.000Z","size":226,"stargazers_count":19,"open_issues_count":13,"forks_count":24,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-06-12T04:46:27.735Z","etag":null,"topics":["anonymous-tokens","authentication","authentication-middleware","cors","graphql","hacktoberfest","headless","jwt","rsa-key","security","signer-key"],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Firesphere.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-06-29T07:02:38.000Z","updated_at":"2024-10-08T18:57:33.000Z","dependencies_parsed_at":"2022-08-29T19:50:18.949Z","dependency_job_id":"e8942f0f-a6fb-4467-a4a6-452be7e9cf78","html_url":"https://github.com/Firesphere/silverstripe-graphql-jwt","commit_stats":{"total_commits":116,"total_committers":10,"mean_commits":11.6,"dds":0.2586206896551724,"last_synced_commit":"b140adc9583da250ea2e4f704c5c4f5e2ead5524"},"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/Firesphere/silverstripe-graphql-jwt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Firesphere%2Fsilverstripe-graphql-jwt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Firesphere%2Fsilverstripe-graphql-jwt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Firesphere%2Fsilverstripe-graphql-jwt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Firesphere%2Fsilverstripe-graphql-jwt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Firesphere","download_url":"https://codeload.github.com/Firesphere/silverstripe-graphql-jwt/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Firesphere%2Fsilverstripe-graphql-jwt/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265791393,"owners_count":23829159,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anonymous-tokens","authentication","authentication-middleware","cors","graphql","hacktoberfest","headless","jwt","rsa-key","security","signer-key"],"created_at":"2024-10-15T16:09:20.784Z","updated_at":"2025-07-18T16:02:47.956Z","avatar_url":"https://github.com/Firesphere.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![CircleCI](https://circleci.com/gh/Firesphere/silverstripe-graphql-jwt/tree/master.svg?style=svg)](https://circleci.com/gh/Firesphere/silverstripe-graphql-jwt/tree/master)\n[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/Firesphere/silverstripe-graphql-jwt/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/Firesphere/silverstripe-graphql-jwt/?branch=master)\n[![codecov](https://codecov.io/gh/Firesphere/silverstripe-graphql-jwt/branch/master/graph/badge.svg)](https://codecov.io/gh/Firesphere/silverstripe-graphql-jwt)\n\n# License\n\n[GPL v3 or later](LICENSE.md)\n\n# GraphQL JSON Web Token authenticator\n\nThis module provides a JWT-interface for creating JSON Web Tokens for authentication.\n\n## Installation\n\n```\ncomposer require firesphere/graphql-jwt\n```\n\nThe default config is available in `_config\\config.yml`.\n\nIn order to securely process and store data via JWT,\nyou need to set a secret key in your `.env` file:\n\n```ini\nJWT_SIGNER_KEY=\"[your secret key]\"\n```\nA quick way to generate a secure random value value for `JWT_SIGNER_KEY` is through a PHP CLI command:\n\n```\nphp -r 'echo substr(base64_encode(random_bytes(64)), 0, 64) . \"\\n\";'\n```\n\nYou can also use public/private key files.\n\n```ini\nJWT_SIGNER_KEY=\"./path/to/private.key\"\nJWT_PUBLIC_KEY=\"./path/to/public.key\"\n```\n\nNote: Relative paths will be relative to your BASE_PATH (prefixed with `./`)\n\nCurrently, only RSA keys are supported. ECDSA is not supported. The keys in the test-folder are generated by an online RSA key generator.\n\nThe signer key [for HMAC can be of any length (keys longer than B bytes are first hashed using H). However, less than L bytes is strongly discouraged as it would decrease the security strength of the function.](https://tools.ietf.org/html/rfc2104#section-3). Thus, for SHA-256 the signer key should be between 16 and 64 bytes in length.\n\n**The keys in `tests/keys` should not be trusted!**\n\n## Configuration\n\nSince admin/graphql is reserved exclusively for CMS graphql access, it will be necessary for you to register a custom schema for\nyour front-end application, and apply the provided queries and mutations to that.\n\nFor example, given you've decided to create a schema named `frontend` at the url `/api`\n\n```yml\n---\nName: my-graphql-schema\n---\nSilverStripe\\GraphQL\\Manager:\n  schemas:\n    frontend:\n      types:\n        MemberToken: 'Firesphere\\GraphQLJWT\\Types\\MemberTokenTypeCreator'\n        Member: 'Firesphere\\GraphQLJWT\\Types\\MemberTypeCreator'\n      mutations:\n        createToken: 'Firesphere\\GraphQLJWT\\Mutations\\CreateTokenMutationCreator'\n        refreshToken: 'Firesphere\\GraphQLJWT\\Mutations\\RefreshTokenMutationCreator'\n      queries:\n        validateToken: 'Firesphere\\GraphQLJWT\\Queries\\ValidateTokenQueryCreator'\n---\nName: my-graphql-injections\n---\nSilverStripe\\Core\\Injector\\Injector:\n  SilverStripe\\GraphQL\\Manager.frontend:\n    class: SilverStripe\\GraphQL\\Manager\n    constructor:\n      identifier: frontend\n  SilverStripe\\GraphQL\\Controller.frontend:\n    class: SilverStripe\\GraphQL\\Controller\n    constructor:\n      manager: '%$SilverStripe\\GraphQL\\Manager.frontend'\n---\nName: my-graphql-routes\n---\nSilverStripe\\Control\\Director:\n  rules:\n    api:\n      Controller: '%$SilverStripe\\GraphQL\\Controller.frontend'\n      Stage: Live\n```\n\n\n## Log in\n\nTo generate a JWT token, send a login request to the `createToken` mutator:\n\n```graphql\nmutation {\n  createToken(Email: \"admin\", Password: \"password\") {\n    Token, // ...request or you won't have a token\n    ID,\n    FirstName,\n    Surname\n  }\n}\n```\n\n## Validate token\n\nIf you have an app and want to validate your token, you can address the `validateToken` method:\n\n```graphql\nquery validateToken {\n  validateToken {\n    Valid\n    Message\n    Code\n  }\n}\n```\n\nIt only needs to call the endpoint. The token should be in the header, via your middleware for the request, as a `Authorization: Bearer [token]`. If the token is valid, you'll get a response like this:\n\n```json\n{\n  \"data\": {\n    \"validateToken\": {\n      \"Valid\": true,\n      \"Message\": \"\",\n      \"Code\": 200,\n      \"__typename\": \"ValidateToken\"\n    }\n  }\n}\n```\n\nIf the token is invalid, `Valid` will be `false`.\n\n## Anonymous tokens\n\nAlthough not advised, it's possible to use anonymous tokens. When using an anonymous authenticator, SilverStripe\nwill generate a default database record in the Members table with the Email `anonymous` and no permissions by default. \n\nTo enable anonymous tokens, add the following to your configuration `.yml`:\n\n```yaml\nSilverStripe\\Core\\Injector\\Injector:\n  Firesphere\\GraphQLJWT\\Mutations\\CreateTokenMutationCreator:\n    properties:\n      CustomAuthenticators:\n        - Firesphere\\GraphQLJWT\\Authentication\\AnonymousUserAuthenticator\n```\n\nYou can then create an anonymous login with the below query.\n\n```graphql\nmutation {\n  createToken(Email: \"anonymous\") {\n    Token\n  }\n}\n```\n\nNote: If the default anonymous authenticator doesn't suit your purposes, you can inject any other\ncore SilverStripe authenticator into `CustomAuthenticators`.\n\nWarning: The default `AnonymousUserAuthenticator` is not appropriate for general usage, so don't\nregister this under the core `Security` class!\n\n## Enable CORS\n\nTo use JWT, CORS needs to be enabled. This can be done by adding the following to your configuration `.yml`:\n\n```yaml\nSilverStripe\\GraphQL\\Controller:\n  cors:\n    Enabled: true\n    Allow-Origin: \"*\"\n    Allow-Headers: \"Authorization, Content-Type\"\n    Allow-Methods: \"GET, POST, OPTIONS\"\n    Max-Age: 86400 # ...in seconds\n```\n\n## Usage\n\nAfter logging in, you will receive a token which can be used for further requests. This token should be in the header of the request with the `Bearer` as signature:\n\n```\nAuthorization: Bearer [token]\n```\n\n## Prefix\n\nA prefix can be optionally associated with the unique identifier of a JWT record.\nThis can make it easier to distinguish JWT records created in different contexts,\ne.g. on a specific domain or environment type. It is not required for security purposes.\n\n```\nJWT_PREFIX=\"[your secret prefix]\"\n```\n\n## Security\n\nCurrently, the default method for encrypting the JWT is with SHA256. JWT is signed with multiple factors; including the host, audience (app/remote user), a secret key and a timeframe within which the token is valid. Only one device can be logged in at the time.\n\n## Supported services\n\nBy default, JWT only supports login. As it's tokens can not be disabled, nor used for password changes or resets.\n\n## Caveats\n\nWhen using php under CGI/FastCGI mode with Apache, the `Authorization` header might not work correctly, see [issue#15](https://github.com/Firesphere/silverstripe-graphql-jwt/issues/15). The workaround is simple, just add `SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0` in your `.htaccess` file ([refer](http://php.net/manual/en/features.http-auth.php#114877)).\n\n## Examples\n\nA Postman collection can be found in the `extra` folder.\n\n# Cow?\n\nOf course!\n\n```\n               /( ,,,,, )\\\n              _\\,;;;;;;;,/_\n           .-\"; ;;;;;;;;; ;\"-.\n           '.__/`_ / \\ _`\\__.'\n              | (')| |(') |\n              | .--' '--. |\n              |/ o     o \\|\n              |           |\n             / \\ _..=.._ / \\\n            /:. '._____.'   \\\n           ;::'    / \\      .;\n           |     _|_ _|_   ::|\n         .-|     '==o=='    '|-.\n        /  |  . /       \\    |  \\\n        |  | ::|         |   | .|\n        |  (  ')         (.  )::|\n        |: |   |;  U U  ;|:: | `|\n        |' |   | \\ U U / |'  |  |\n        ##V|   |_/`\"\"\"`\\_|   |V##\n           ##V##         ##V##\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffiresphere%2Fsilverstripe-graphql-jwt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffiresphere%2Fsilverstripe-graphql-jwt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffiresphere%2Fsilverstripe-graphql-jwt/lists"}