Skip to content

feat(router): jwt auth #455

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 15, 2025
Merged

feat(router): jwt auth #455

merged 1 commit into from
Oct 15, 2025

Conversation

@dotansimha
Copy link
Member

@dotansimha dotansimha commented Sep 27, 2025
edited
Loading

Closes #314
Closes #457
Fixes #458
Closes #452 (because it's using it)

Overview

This PR introduces a JWT authentication flow. The following are supported:

  • Multiple JWKS that can be loaded from a local file or remote JWKS set
  • JWT token lookup based on HTTP header (with prefix validation), or HTTP Cookie (default: Authorization: Bearer XYZ)
  • Issuer/audeince validation
  • Multiple algorithm support
  • Expiration validation
  • Enforce token validation (default: false)
  • Error handling and standard rejection in case of error

In addition, this PR have some required changes and bug fixes:

  • Easy setup to register and run async background tasks
  • Config file will now automatically resolve paths mentioned (supergraph, jwks file) relative to the config file path.
  • Added e2e tests setup and a testkit and allow us to simplify the testing of different features in e2e testing that's based on a config file + gql operation
  • Added a mechanism to store and modify per-request context (using req.extensions)

TODO

  • figure out background tasks
  • figure out per-request context
  • jwks fetching
  • prefetching jwks
  • decode jwt
  • jwt validation
  • error handling
  • context injection of token and payloads
  • forwarding
  • e2e testing

@github-actions
Copy link

github-actions bot commented Sep 29, 2025
edited
Loading

k6-benchmark results

     ✓ response code was 200
     ✓ no graphql errors
     ✓ valid response structure

     █ setup

     checks.........................: 100.00% ✓ 217722      ✗ 0    
     data_received..................: 6.4 GB  212 MB/s
     data_sent......................: 85 MB   2.8 MB/s
     http_req_blocked...............: avg=2.87µs   min=661ns   med=1.68µs  max=5.45ms   p(90)=2.52µs  p(95)=3µs     
     http_req_connecting............: avg=346ns    min=0s      med=0s      max=1.32ms   p(90)=0s      p(95)=0s      
     http_req_duration..............: avg=20.23ms  min=2.12ms  med=19.16ms max=211.8ms  p(90)=27.84ms p(95)=31.27ms 
       { expected_response:true }...: avg=20.23ms  min=2.12ms  med=19.16ms max=211.8ms  p(90)=27.84ms p(95)=31.27ms 
     http_req_failed................: 0.00%   ✓ 0           ✗ 72594
     http_req_receiving.............: avg=184.37µs min=27.07µs med=41.32µs max=174.02ms p(90)=90.75µs p(95)=406.74µs
     http_req_sending...............: avg=25.53µs  min=5.92µs  med=10.7µs  max=26.8ms   p(90)=16.87µs p(95)=28.19µs 
     http_req_tls_handshaking.......: avg=0s       min=0s      med=0s      max=0s       p(90)=0s      p(95)=0s      
     http_req_waiting...............: avg=20.02ms  min=2.05ms  med=19.02ms max=54.6ms   p(90)=27.57ms p(95)=30.93ms 
     http_reqs......................: 72594   2414.649417/s
     iteration_duration.............: avg=20.66ms  min=5.93ms  med=19.51ms max=263.27ms p(90)=28.3ms  p(95)=31.81ms 
     iterations.....................: 72574   2413.984169/s
     vus............................: 50      min=50        max=50 
     vus_max........................: 50      min=50        max=50

@dotansimha dotansimha marked this pull request as ready for review September 29, 2025 09:55
@github-actions
Copy link

github-actions bot commented Sep 29, 2025
edited
Loading

🐋 This PR was built and pushed to the following Docker images:

Image Names: ghcr.io/graphql-hive/router

Platforms: linux/amd64,linux/arm64

Image Tags: ghcr.io/graphql-hive/router:pr-455 ghcr.io/graphql-hive/router:sha-327596f

Docker metadata 
{
"buildx.build.ref": "builder-8b14df8d-2f72-40eb-9993-1094ee277491/builder-8b14df8d-2f72-40eb-9993-1094ee2774910/9nzao1gtcml95x8uniorok2k9",
"containerimage.descriptor": {
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "digest": "sha256:8e0261ffed54c5662fd958af88c1a9582f1e080a591000080da1d99549539d51",
  "size": 1609
},
"containerimage.digest": "sha256:8e0261ffed54c5662fd958af88c1a9582f1e080a591000080da1d99549539d51",
"image.name": "ghcr.io/graphql-hive/router:pr-455,ghcr.io/graphql-hive/router:sha-327596f"
}

ardatan
ardatan reviewed Sep 29, 2025
View reviewed changes
ardatan
ardatan reviewed Sep 29, 2025
View reviewed changes
@ardatan ardatan mentioned this pull request Oct 9, 2025
Closed
ardatan
ardatan reviewed Oct 12, 2025
View reviewed changes
@dotansimha dotansimha force-pushed the jwks branch 3 times, most recently from c0f8238 to 1f1ba45 Compare October 15, 2025 08:21
@dotansimha
feat(router): added a simple wrapper around background tasks
d8505be 
feat(router): added a mechanism to store per-request context using req.extensions
feat(router): jwt authentication config
feat(config): added jwt config
fix(config): load references files relative to the config directory, or current if not specified
chore: added e2e test setup and testkit

ok getting there

fix clippy

fixes

fix docs

added forwarding testing
@dotansimha dotansimha merged commit ad86b4f into main Oct 15, 2025
18 checks passed
@dotansimha dotansimha deleted the jwks branch October 15, 2025 11:28
@theguild-bot theguild-bot mentioned this pull request Oct 15, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ardatan ardatan ardatan approved these changes

@kamilkisiela kamilkisiela Awaiting requested review from kamilkisiela

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@dotansimha @ardatan