@graphql-yoga/plugin-jwt

3.6.1

Patch Changes

• Updated dependencies [fbf328c]:
  • graphql-yoga@5.12.1

3.6.0

Patch Changes

• Updated dependencies [96498ee, 5150146, 5150146]:
  • graphql-yoga@5.12.0

3.5.0

Patch Changes

• Updated dependencies [5fd15b8, d13b8a4]:
  • graphql-yoga@5.11.0

3.4.13

Patch Changes

• Updated dependencies [1c055f5]:
  • graphql-yoga@5.10.11

3.4.12

Patch Changes

• #3677  7419797 Thanks @ardatan ! - Ensure the JWT context has been added before any GraphQL Execution hooks when the plugin is used via Yoga

3.4.11

Patch Changes

• Updated dependencies []:
  • graphql-yoga@5.10.10

3.4.10

Patch Changes

• Updated dependencies [d24c5d5, d24c5d5]:
  • graphql-yoga@5.10.9

3.4.9

Patch Changes

• #3590  840c6ae Thanks @ardatan ! - - Do not throw when `request` is not available in the context, it can be a WebSockets connection

  • Export helper extractFromConnectionParams to get the token from WebSocket connectionParams when GraphQL WS is used like here 

  import { extractFromConnectionParams, extractFromHeader, useJWT } from '@graphql-yoga/plugin-jwt'
   
  const yoga = createYoga({
    // ...
    plugins: [
      useJWT({
        // So it will look for the token in the connectionParams.my-token field in case of a WebSockets connection
        // It will check WS params and headers, and get the available one
        lookupLocations: [
          extractFromConnectionParams({ name: 'my-token' }),
          extractFromHeader({ name: 'authorization', prefix: 'Bearer ' })
        ]
      })
    ]
  })

3.4.8

Patch Changes

• Updated dependencies [ed344ea]:
  • graphql-yoga@5.10.8

3.4.7

Patch Changes

• Updated dependencies [8fee214, 1df4912]:
  • graphql-yoga@5.10.7

3.4.6

Patch Changes

• Updated dependencies [121ccba]:
  • graphql-yoga@5.10.6

3.4.5

Patch Changes

• #3532  57e7701 Thanks @ardatan ! - dependencies updates:
  • Updated dependency graphql@^15.2.0 || ^16.0.0 ↗︎ (from ^16.5.0, in peerDependencies)
• Updated dependencies [eca7cd1, 05fe345]:
  • graphql-yoga@5.10.5

3.4.4

Patch Changes

• Updated dependencies [944ecd5]:
  • graphql-yoga@5.10.4

3.4.3

Patch Changes

• Updated dependencies [c93366d, c93366d]:
  • graphql-yoga@5.10.3

3.4.2

Patch Changes

• Updated dependencies [7a413bc, 7a413bc]:
  • graphql-yoga@5.10.2

3.4.1

Patch Changes

• #3479  20cd9b6 Thanks @ardatan ! - dependencies updates:
  • Updated dependency @whatwg-node/server-plugin-cookies@^1.0.3 ↗︎ (from 1.0.2, in dependencies)
• Updated dependencies [20cd9b6]:
  • graphql-yoga@5.10.1

3.4.0

Patch Changes

• Updated dependencies [f81501c]:
  • graphql-yoga@5.10.0

3.3.0

Patch Changes

• #3426  076d25c Thanks @EmrysMyrddin ! - Fix typo of the option singingKeyProviders => signingKeyProviders.

• Updated dependencies [2523d9f, 87ee333]:

  • graphql-yoga@5.9.0

3.2.0

Patch Changes

• Updated dependencies [18fe916, 6bb19ed]:
  • graphql-yoga@5.8.0

3.1.0

Patch Changes

• Updated dependencies [5dae4ab, 5dae4ab, 5dae4ab, 5dae4ab]:
  • graphql-yoga@5.7.0

3.0.2

Patch Changes

• Updated dependencies [0866c1b]:
  • graphql-yoga@5.6.3

3.0.1

Patch Changes

• Updated dependencies [b7bf47b, 81a736b]:
  • graphql-yoga@5.6.2

3.0.0

Major Changes

• #3366  057ad06 Thanks @dotansimha ! - Re-write for the JWT plugin. This plugin can be configured now with multiple providers, lookup locations, token verification, and more.

  The version has better version coverage, and it provides an improved API for configuring provider and custom behaviors.

  Breaking Change: New Plugin Configuration

  Signing key providers

  ❌ The signingKey option has be removed. ❌ The jwksUri + jwksOpts options has been removed. ✅ Multiple signing key providers and support for fallbacks (singingKeyProviders[]). ✅ Improved API for defining signing key configuration. ✅ Better defaults for caching and rate-limiting for remote JWKS providers.

  Before

  useJWT({
    signingKey: "...",
    // or
    jwksUri: "http://example.com/..."
    jwksOpts: {
      // ...
    }
  })

  After

  import {
    createInlineSigningKeyProvider,
    createRemoteJwksSigningKeyProvider,
    useJWT
  } from '@graphql-yoga/plugin-jwt'
   
  useJWT({
    // Pass one or more providers
    singingKeyProviders: [
      createRemoteJwksSigningKeyProvider({
        // ...
      })
      // This one also acts as a fallback in case of a fetching issue with the 1st provider
      createInlineSigningKeyProvider({ signingKey: "..."})
    ]
  })

  Improved Token Lookup

  ❌ Removed getToken option from the root config. ✅ Added support for autmatically extracting the JWT token from cookie or header. ✅ Easier setup for extracting from multiple locations. ✅ getToken is still available for advanced use-cases, you can pass a custom function to lookupLocations.

  Before

  useJWT({
    getToken: payload => payload.request.headers.get('...')
  })

  After

  With built-in extractors:

  imoprt { extractFromHeader, extractFromCookie, useJWT } from '@graphql-yoga/plugin-jwt'
   
  const yoga = createYoga({
    // ...
    plugins: [
      useCookies(), // Required if "extractFromCookie" is used.
      useJWT({
        lookupLocations: [
          extractFromHeader({ name: 'authorization', prefix: 'Bearer' }),
          extractFromHeader({ name: 'x-legacy-auth' }),
          extractFromHeader({ name: 'x-api-key', prefix: 'API-Access' }),
          extractFromCookie({ name: 'browserAuth' })
        ]
      })
    ]
  })

  With a custom getToken:

  useJWT({
    lookupLocations: [payload => payload.request.headers.get('...')]
  })

  Improved Verification Options

  ❌ Removed root-level config algorithms + audience + issuer flags. ✅ Easy API for customizing token verifications (based on jsonwebtoken library). ✅ Better defaults for token algorithm verification (before: RS256, after: RS256 and HS256)

  Before

  useJWT({
    algorithms: ['RS256'],
    audience: 'my.app',
    issuer: 'http://my-issuer'
  })

  After

  useJWT({
    tokenVerification: {
      algorithms: ['RS256', 'HS256'],
      audience: 'my.app',
      issuer: 'http://my-issuer'
      // You can pass more options to `jsonwebtoken.verify("...", options)` here
    }
  })

  Customized Token Rejection

  ✅ New config flag reject: { ... } for configuring how to handle a missing or invalid tokens (enbaled by default).

  useJWT({
    reject: {
      missingToken: true,
      invalidToken: true
    }
  })

  Flexible Context Injection

  ❌ Removed root-level config extendContextField flags. ✅ Added root-level config extendContext (boolean / string) ✅ Token and payload are injected now to the context (structure: { payload: {}, token: { value, prefix }})

  Before

  useJWT({
    reject: {
      extendContextField: true
    }
  })

  After

  // Can be a boolean. By default injects to "context.jwt" field
  useJWT({
    reject: {
      extendContext: true
    }
  })
   
  // Or an object to customize the field name
  useJWT({
    reject: {
      extendContext: 'myJwt'
    }
  })

Patch Changes

• #3366  057ad06 Thanks @dotansimha ! - dependencies updates:
  • Added dependency @whatwg-node/server-plugin-cookies@1.0.2 ↗︎ (to dependencies)
• Updated dependencies [4252e3d]:
  • graphql-yoga@5.6.1

2.6.0

Patch Changes

• Updated dependencies [9f3f945]:
  • graphql-yoga@5.6.0

2.5.0

Patch Changes

• Updated dependencies [0208024]:
  • graphql-yoga@5.5.0

2.4.0

Minor Changes

• #3182  8663e78 Thanks @bgentry ! - Add the possibility to customize JwksClient options

• #3275  25886fa Thanks @EmrysMyrddin ! - Update type to allow passing every jsonwebtoken.verify options

Patch Changes

• #3300  fdd902c Thanks @EmrysMyrddin ! - dependencies updates:
  • Updated dependency graphql-yoga@workspace:^ ↗︎ (from ^5.3.1, in peerDependencies)
• Updated dependencies [4cd43b9, fdd902c, d5dfe99, 7335a82, f9aa1cd]:
  • graphql-yoga@5.4.0

2.3.1

Patch Changes

• Updated dependencies [3324bbab, 3324bbab]:
  • graphql-yoga@5.3.1

2.3.0

Patch Changes

• Updated dependencies [f775b341, f775b341, f89a1aa2]:
  • graphql-yoga@5.3.0

2.2.0

Patch Changes

• Updated dependencies [71db7548, 71db7548]:
  • graphql-yoga@5.2.0

2.1.2

Patch Changes

• Updated dependencies [3ef877a7]:
  • graphql-yoga@5.1.1

2.1.1

Patch Changes

• #3149  b9d2afcc Thanks @EmrysMyrddin ! - Fix unauthorized error resulting in an response with 500 status or in a server crash (depending on actual HTTP server implementation used).

2.1.0

Patch Changes

• Updated dependencies [b1f0e3a2]:
  • graphql-yoga@5.1.0

2.0.2

Patch Changes

• Updated dependencies [77d107fe]:
  • graphql-yoga@5.0.2

2.0.1

Patch Changes

• Updated dependencies [3fea19f2]:
  • graphql-yoga@5.0.1

2.0.0

Major Changes

• #3063  01430e03 Thanks @EmrysMyrddin ! - Breaking Change: Drop support of Node.js 16

Patch Changes

• Updated dependencies [01430e03, 5b615478, 350bb851]:
  • graphql-yoga@5.0.0

1.1.0

Minor Changes

• #3029  2d0cd188 Thanks @EmrysMyrddin ! - Allow getToken to return a promise.

Patch Changes

• Updated dependencies [bf602edf]:
  • graphql-yoga@4.0.5

1.0.1

Patch Changes

• Updated dependencies [5f182006]:
  • graphql-yoga@4.0.4

1.0.0

Major Changes

• #1921  43771514 Thanks @ardatan ! - New Generic JWT Plugin

Patch Changes

• #2933  cb47a72c Thanks @renovate ! - dependencies updates:

  • Updated dependency jsonwebtoken@^9.0.0 ↗︎ (from ^8.5.1, in dependencies)

• #2935  1c89cfd5 Thanks @renovate ! - dependencies updates:

  • Updated dependency jwks-rsa@^3.0.0 ↗︎ (from ^2.1.5, in dependencies)