如何使用 Prisma API 生成 JWT 令牌?
How to generate the JWT token using Prisma API?
我正在使用 prisma 来处理 GraphQL。我知道有一种方法可以使用密钥保护 graphql 服务器。例如,将密钥指定为:
secret: my-secret-42
in prisma.yml ,然后 运行ning prisma deploy 将保护 graphql 服务器,所有后续查询都需要 JWT 令牌才能访问它。
我可以使用命令生成 JWT 令牌
prisma token
这给了我令牌并在 headers 中传递了它,我可以访问它。但是是否有一个 API 可以用来生成令牌,我不必在 CLI 上手动 运行 prisma token 命令。
我希望 javascript 通过查询直接访问 GraphQL。为此,我需要某种形式的身份验证。由于会有多个用户使用该应用程序,我想为不同的用户提供不同的令牌。因此,我正在寻找一种方法,如果 Prisma 可用,我可以使用 API 生成令牌。
服务令牌是一个简单的 JWT 令牌,可以使用服务和阶段名称以及密钥轻松创建。您可以自己创建令牌并附加它。查看 prisma CLI 使用的实际代码:
getToken(serviceName: string, stageName: string): string | undefined {
if (this.secrets) {
const data = {
data: {
service: `${serviceName}@${stageName}`,
roles: ['admin'],
},
}
return jwt.sign(data, this.secrets[0], {
expiresIn: '7d',
})
}
return undefined
}
来源:https://github.com/prisma/prisma/blob/master/cli/packages/prisma-yml/src/PrismaDefinition.ts
有关结构的更多信息:
服务令牌遵循 JSON Web 令牌 (JWT) 规范 (RFC 7519):
"JSON Web Token (JWT) is a compact, URL-safe means of representing
claims to be transferred between two parties. The claims in a JWT are
encoded as a JSON object that is used as the payload of a JSON Web
Signature (JWS) structure or as the plaintext of a JSON Web Encryption
(JWE) structure, enabling the claims to be digitally signed or
integrity protected with a Message Authentication Code (MAC) and/or
encrypted."
JWT 具有以下三个组件:
Header: The header typically consists of two parts: the type of the
token, which is JWT, and the hashing algorithm being used (which is
HS256 in the case of Prisma service tokens).
{ "alg": "HS256", "typ": "JWT" }
Payload: The payload contains the claims. Claims are statements about
an entity (typically, the user) and additional data. Here is what it
looks like for a service called demo deployed to the dev stage:
{
"data": {
"service": "demo@dev",
"roles": ["admin"]
},
"iat": 1532530208,
"exp": 1533135008
}
Signature: The signature is used to verify the message wasn't changed
along the way. To create the signature part you have to take the
encoded header, the encoded payload, a secret, the algorithm specified
in the header, and sign that. For example if you want to use the HMAC
SHA256 algorithm, the signature will be created in the following way:
HMACSHA256(base64UrlEncode(header) + '.' + base64UrlEncode(payload), secret)
因此,JWT 通常如下所示:xxxxx.yyyyy.zzzzz
来源:https://www.prisma.io/docs/prisma-server/authentication-and-security-kke4/#service-token
我正在使用 prisma 来处理 GraphQL。我知道有一种方法可以使用密钥保护 graphql 服务器。例如,将密钥指定为:
secret: my-secret-42
in prisma.yml ,然后 运行ning prisma deploy 将保护 graphql 服务器,所有后续查询都需要 JWT 令牌才能访问它。
我可以使用命令生成 JWT 令牌
prisma token
这给了我令牌并在 headers 中传递了它,我可以访问它。但是是否有一个 API 可以用来生成令牌,我不必在 CLI 上手动 运行 prisma token 命令。
我希望 javascript 通过查询直接访问 GraphQL。为此,我需要某种形式的身份验证。由于会有多个用户使用该应用程序,我想为不同的用户提供不同的令牌。因此,我正在寻找一种方法,如果 Prisma 可用,我可以使用 API 生成令牌。
服务令牌是一个简单的 JWT 令牌,可以使用服务和阶段名称以及密钥轻松创建。您可以自己创建令牌并附加它。查看 prisma CLI 使用的实际代码:
getToken(serviceName: string, stageName: string): string | undefined {
if (this.secrets) {
const data = {
data: {
service: `${serviceName}@${stageName}`,
roles: ['admin'],
},
}
return jwt.sign(data, this.secrets[0], {
expiresIn: '7d',
})
}
return undefined
}
来源:https://github.com/prisma/prisma/blob/master/cli/packages/prisma-yml/src/PrismaDefinition.ts
有关结构的更多信息:
服务令牌遵循 JSON Web 令牌 (JWT) 规范 (RFC 7519):
"JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted."
JWT 具有以下三个组件:
Header: The header typically consists of two parts: the type of the token, which is JWT, and the hashing algorithm being used (which is HS256 in the case of Prisma service tokens).
{ "alg": "HS256", "typ": "JWT" }
Payload: The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. Here is what it looks like for a service called demo deployed to the dev stage:
{
"data": {
"service": "demo@dev",
"roles": ["admin"]
},
"iat": 1532530208,
"exp": 1533135008
}
Signature: The signature is used to verify the message wasn't changed along the way. To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:
HMACSHA256(base64UrlEncode(header) + '.' + base64UrlEncode(payload), secret)
因此,JWT 通常如下所示:xxxxx.yyyyy.zzzzz
来源:https://www.prisma.io/docs/prisma-server/authentication-and-security-kke4/#service-token