Authentication mechanism should be configurable

Created on 20 September 2022, over 2 years ago
Updated 29 August 2024, 4 months ago

Problem/Motivation

By default, GraphQL allows all the autentication methods allowed by the system. Due to this, API end-points are accessible by any authentication allowed at the system-level.

// file: ./graphql/src/RouteProvider.php:
// Allow all authentication providers by default.
$auth = array_keys($this->authenticationCollector->getSortedProviders());

Steps to reproduce

After installation, all authentication mechanism is allowed, not just what is implemented.

Proposed resolution

Create a config that will:

  1. List all the system-wide authentication methods that are enabled
  2. Allow user to select authentication that she wants. Default should be all methods enabled, to conform to existing functionality

Note: Do we require per end-point API level authentication? Suggestion: simpler solution is to allow a super-set of all the authentication mechanism supported by application. Mapping endpoint to authentication-mechanism in the config may have difficult UX, future-proofing may be hard.

Remaining tasks

User interface changes

API changes

Data model changes

Feature request
Status

Active

Version

4.0

Component

Code

Created by

🇮🇳India krishnan.n

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024