Authorized queries with Apollo in Next.js application

Question

I'm working on a PWA developed with Next.js that has to read data from a Wordpress site and I'm pretty new to these technologies.

I have these Wordpress plugins installed:

• WPGraphQL
• WPGraphQL CORS
• WPGraphQL JWT Authentication

Specifically, the problem occurs in the initial "login form". This form requires the insertion of only an alphanumeric ID (not username/password). Upon submitting the form, a GraphQL query is run to the Wordpress endpoint using the ID in the "where" parameter of the query. Something like:

const GET_USER = gql`
    query getTicket($ticketId: String) {
        tickets(where: {ticketId: $ticketId}) {
            nodes {
                Ticket {
                    email
                    firstName
                    lastName
                    ticketId
                }
            }
        }
    }
`;

There is no problem with publicly accessible data, everything works. On the other hand, if I have to request private data (eg user email), I need to run an authenticated/authorized query (Authorization: Bearer <token_here>).

I know that in WPGraphQL JWT Authentication there are 2 tokens:

• authToken: duration of 5 minutes and then you need to use the refreshToken to generate another one
• refreshToken: 1 year duration

Considering that I do not require the user to enter a username / password in order to perform a mutation Login that allows to generate the tokens, what method can I use? Is there anything like a fixed token with no expiration (that would probably be a security flaw)?

Thanks

Answer 1

I would recommend never use a token with no expiry limits, the best practice is to expire token after every 15 minutes and refresh the token.

Checkout this link you can see different methods for having authentication with graphql & apollo server .