Apollo Server 2 + Auth0

Question

So I have an app that logs me in via Auth0 and saves a jwt token in a cookie.

I also have an Apollo Server 2 that retrieves the data. How do I secure the Apollo Server and only return data if the user is logged in and verified by the Auth0 server?

The code below comes right from https://www.apollographql.com , but what I don't understand is how to handle getUser(token) below to actually check for a valid JWT in the Authorization header, and if present, the user will be allowed to access protected resources?

// using apollo-server 2.x
const { ApolloServer } = require('apollo-server');

const server = new ApolloServer({
 typeDefs,
 resolvers,
 context: ({ req }) => {
   // get the user token from the headers
   const token = req.headers.authorization || '';

   // try to retrieve a user with the token
   const user = getUser(token);

   // add the user to the context
   return { user };
 },
});

server.listen().then(({ url }) => {
 console.log(`🚀 Server ready at ${url}`)
});

Answer 1

getUser is the method that returns your user with the given token. you might need to write that method yourself or use OAuth's getUser method.

After getting the user object, you're returning it so now you have access to the user object in your resolvers. In your resolver method, the third parameter is your context object. you can access the user object there. If you want to protect that resolver to only be allowed by logged in users you can throw an error if user is null or undefined.

For example:

export const resolvers = {
Query: {
  Me: (parent, args, { user }) => {
    if (!user) return Error(`Not Logged In!`)
    return user
  }
 }
}