PHPackages firesphere/silverstripe-graphql-jwt - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. firesphere/silverstripe-graphql-jwt Abandoned → [firesphere/graphql-jwt](/?search=firesphere%2Fgraphql-jwt)Silverstripe-vendormodule[Authentication & Authorization](/categories/authentication) firesphere/silverstripe-graphql-jwt =================================== JWT Authentication for GraphQL 1.1.0(8y ago)191.4k25[9 issues](https://github.com/Firesphere/silverstripe-graphql-jwt/issues)[4 PRs](https://github.com/Firesphere/silverstripe-graphql-jwt/pulls)BSD-3-ClausePHPPHP >=5.6CI failing Since Jul 23Pushed 2y ago6 watchersCompare [ Source](https://github.com/Firesphere/silverstripe-graphql-jwt)[ Packagist](https://packagist.org/packages/firesphere/silverstripe-graphql-jwt)[ RSS](/packages/firesphere-silverstripe-graphql-jwt/feed)WikiDiscussions master Synced 4w ago READMEChangelog (10)Dependencies (7)Versions (15)Used By (0) [![CircleCI](https://camo.githubusercontent.com/38c49b8dd331fab70606a6342049fb0f720c40412d48f42ba676262e3ed3a063/68747470733a2f2f636972636c6563692e636f6d2f67682f466972657370686572652f73696c7665727374726970652d6772617068716c2d6a77742f747265652f6d61737465722e7376673f7374796c653d737667)](https://circleci.com/gh/Firesphere/silverstripe-graphql-jwt/tree/master)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/bdc3dffa51adcc678349bd4938f04051a6d3949f9f42c22a92d6dbb0d5440b86/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f466972657370686572652f73696c7665727374726970652d6772617068716c2d6a77742f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/Firesphere/silverstripe-graphql-jwt/?branch=master)[![codecov](https://camo.githubusercontent.com/608faf151b3727e37b9b6e436c86cfe0112bce1916d1855fdc6d257988ed158c/68747470733a2f2f636f6465636f762e696f2f67682f466972657370686572652f73696c7665727374726970652d6772617068716c2d6a77742f6272616e63682f6d61737465722f67726170682f62616467652e737667)](https://codecov.io/gh/Firesphere/silverstripe-graphql-jwt) License ======= [](#license) [GPL v3 or later](LICENSE.md) GraphQL JSON Web Token authenticator ==================================== [](#graphql-json-web-token-authenticator) This module provides a JWT-interface for creating JSON Web Tokens for authentication. Installation ------------ [](#installation) ``` composer require firesphere/graphql-jwt ``` The default config is available in `_config\config.yml`. In order to securely process and store data via JWT, you need to set a secret key in your `.env` file: ``` JWT_SIGNER_KEY="[your secret key]" ``` A quick way to generate a secure random value value for `JWT_SIGNER_KEY` is through a PHP CLI command: ``` php -r 'echo substr(base64_encode(random_bytes(64)), 0, 64) . "\n";' ``` You can also use public/private key files. ``` JWT_SIGNER_KEY="./path/to/private.key" JWT_PUBLIC_KEY="./path/to/public.key" ``` Note: Relative paths will be relative to your BASE\_PATH (prefixed with `./`) Currently, only RSA keys are supported. ECDSA is not supported. The keys in the test-folder are generated by an online RSA key generator. The signer key [for HMAC can be of any length (keys longer than B bytes are first hashed using H). However, less than L bytes is strongly discouraged as it would decrease the security strength of the function.](https://tools.ietf.org/html/rfc2104#section-3). Thus, for SHA-256 the signer key should be between 16 and 64 bytes in length. **The keys in `tests/keys` should not be trusted!** Configuration ------------- [](#configuration) Since admin/graphql is reserved exclusively for CMS graphql access, it will be necessary for you to register a custom schema for your front-end application, and apply the provided queries and mutations to that. For example, given you've decided to create a schema named `frontend` at the url `/api` ``` --- Name: my-graphql-schema --- SilverStripe\GraphQL\Manager: schemas: frontend: types: MemberToken: 'Firesphere\GraphQLJWT\Types\MemberTokenTypeCreator' Member: 'Firesphere\GraphQLJWT\Types\MemberTypeCreator' mutations: createToken: 'Firesphere\GraphQLJWT\Mutations\CreateTokenMutationCreator' refreshToken: 'Firesphere\GraphQLJWT\Mutations\RefreshTokenMutationCreator' queries: validateToken: 'Firesphere\GraphQLJWT\Queries\ValidateTokenQueryCreator' --- Name: my-graphql-injections --- SilverStripe\Core\Injector\Injector: SilverStripe\GraphQL\Manager.frontend: class: SilverStripe\GraphQL\Manager constructor: identifier: frontend SilverStripe\GraphQL\Controller.frontend: class: SilverStripe\GraphQL\Controller constructor: manager: '%$SilverStripe\GraphQL\Manager.frontend' --- Name: my-graphql-routes --- SilverStripe\Control\Director: rules: api: Controller: '%$SilverStripe\GraphQL\Controller.frontend' Stage: Live ``` Log in ------ [](#log-in) To generate a JWT token, send a login request to the `createToken` mutator: ``` mutation { createToken(Email: "admin", Password: "password") { Token, // ...request or you won't have a token ID, FirstName, Surname } } ``` Validate token -------------- [](#validate-token) If you have an app and want to validate your token, you can address the `validateToken` method: ``` query validateToken { validateToken { Valid Message Code } } ``` It only needs to call the endpoint. The token should be in the header, via your middleware for the request, as a `Authorization: Bearer [token]`. If the token is valid, you'll get a response like this: ``` { "data": { "validateToken": { "Valid": true, "Message": "", "Code": 200, "__typename": "ValidateToken" } } } ``` If the token is invalid, `Valid` will be `false`. Anonymous tokens ---------------- [](#anonymous-tokens) Although not advised, it's possible to use anonymous tokens. When using an anonymous authenticator, SilverStripe will generate a default database record in the Members table with the Email `anonymous` and no permissions by default. To enable anonymous tokens, add the following to your configuration `.yml`: ``` SilverStripe\Core\Injector\Injector: Firesphere\GraphQLJWT\Mutations\CreateTokenMutationCreator: properties: CustomAuthenticators: - Firesphere\GraphQLJWT\Authentication\AnonymousUserAuthenticator ``` You can then create an anonymous login with the below query. ``` mutation { createToken(Email: "anonymous") { Token } } ``` Note: If the default anonymous authenticator doesn't suit your purposes, you can inject any other core SilverStripe authenticator into `CustomAuthenticators`. Warning: The default `AnonymousUserAuthenticator` is not appropriate for general usage, so don't register this under the core `Security` class! Enable CORS ----------- [](#enable-cors) To use JWT, CORS needs to be enabled. This can be done by adding the following to your configuration `.yml`: ``` SilverStripe\GraphQL\Controller: cors: Enabled: true Allow-Origin: "*" Allow-Headers: "Authorization, Content-Type" Allow-Methods: "GET, POST, OPTIONS" Max-Age: 86400 # ...in seconds ``` Usage ----- [](#usage) After logging in, you will receive a token which can be used for further requests. This token should be in the header of the request with the `Bearer` as signature: ``` Authorization: Bearer [token] ``` Prefix ------ [](#prefix) A prefix can be optionally associated with the unique identifier of a JWT record. This can make it easier to distinguish JWT records created in different contexts, e.g. on a specific domain or environment type. It is not required for security purposes. ``` JWT_PREFIX="[your secret prefix]" ``` Security -------- [](#security) Currently, the default method for encrypting the JWT is with SHA256. JWT is signed with multiple factors; including the host, audience (app/remote user), a secret key and a timeframe within which the token is valid. Only one device can be logged in at the time. Supported services ------------------ [](#supported-services) By default, JWT only supports login. As it's tokens can not be disabled, nor used for password changes or resets. Caveats ------- [](#caveats) When using php under CGI/FastCGI mode with Apache, the `Authorization` header might not work correctly, see [issue#15](https://github.com/Firesphere/silverstripe-graphql-jwt/issues/15). The workaround is simple, just add `SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0` in your `.htaccess` file ([refer](http://php.net/manual/en/features.http-auth.php#114877)). Examples -------- [](#examples) A Postman collection can be found in the `extra` folder. Cow? ==== [](#cow) Of course! ``` /( ,,,,, )\ _\,;;;;;;;,/_ .-"; ;;;;;;;;; ;"-. '.__/`_ / \ _`\__.' | (')| |(') | | .--' '--. | |/ o o \| | | / \ _..=.._ / \ /:. '._____.' \ ;::' / \ .; | _|_ _|_ ::| .-| '==o==' '|-. / | . / \ | \ | | ::| | | .| | ( ') (. )::| |: | |; U U ;|:: | `| |' | | \ U U / |' | | ##V| |_/`"""`\_| |V## ##V## ##V## ``` ### Health Score 34 — LowBetter than 75% of packages Maintenance11 Infrequent updates — may be unmaintained Popularity27 Limited adoption so far Community22 Small or concentrated contributor base Maturity66 Established project with proven stability Bus Factor2 2 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~111 days Recently: every ~278 days Total 12 Last Release 2037d ago Major Versions 0.2.0 → 1.0.02017-08-13 1.1.0 → 2.0.0-beta12019-01-04 PHP version history (2 changes)0.1.0PHP >=5.6 2.0.0-beta2PHP >=7.1 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/680570?v=4)[Simon Erkelens](/maintainers/Firesphere)[@Firesphere](https://github.com/Firesphere) --- Top Contributors [![tractorcow](https://avatars.githubusercontent.com/u/936064?v=4)](https://github.com/tractorcow "tractorcow (20 commits)")[![Firesphere](https://avatars.githubusercontent.com/u/680570?v=4)](https://github.com/Firesphere "Firesphere (18 commits)")[![chillu](https://avatars.githubusercontent.com/u/111025?v=4)](https://github.com/chillu "chillu (2 commits)")[![senorgeno](https://avatars.githubusercontent.com/u/728552?v=4)](https://github.com/senorgeno "senorgeno (1 commits)")[![assertchris](https://avatars.githubusercontent.com/u/200609?v=4)](https://github.com/assertchris "assertchris (1 commits)")[![zzdjk6](https://avatars.githubusercontent.com/u/3908516?v=4)](https://github.com/zzdjk6 "zzdjk6 (1 commits)")[![ec8or](https://avatars.githubusercontent.com/u/1678184?v=4)](https://github.com/ec8or "ec8or (1 commits)")[![elliot-sawyer](https://avatars.githubusercontent.com/u/354793?v=4)](https://github.com/elliot-sawyer "elliot-sawyer (1 commits)") --- Tags anonymous-tokensauthenticationauthentication-middlewarecorsgraphqlhacktoberfestheadlessjwtrsa-keysecuritysigner-key ### Code Quality TestsPHPUnit Code StylePHP CS Fixer ### Embed Badge ![Health badge](/badges/firesphere-silverstripe-graphql-jwt/health.svg) ``` [![Health](https://phpackages.com/badges/firesphere-silverstripe-graphql-jwt/health.svg)](https://phpackages.com/packages/firesphere-silverstripe-graphql-jwt) ``` ### Alternatives [tymon/jwt-auth JSON Web Token Authentication for Laravel and Lumen 11.5k50.9M364](/packages/tymon-jwt-auth)[php-open-source-saver/jwt-auth JSON Web Token Authentication for Laravel and Lumen 83910.6M60](/packages/php-open-source-saver-jwt-auth)[scheb/2fa Two-factor authentication for Symfony applications (please use scheb/2fa-bundle to install) 585665.9k1](/packages/scheb-2fa)[drenso/symfony-oidc-bundle OpenID connect bundle for Symfony 95714.0k3](/packages/drenso-symfony-oidc-bundle)[patrickbussmann/oauth2-apple Sign in with Apple OAuth 2.0 Client Provider for The PHP League OAuth2-Client 1152.7M11](/packages/patrickbussmann-oauth2-apple)[socialiteproviders/apple Apple OAuth2 Provider for Laravel Socialite 599.1M13](/packages/socialiteproviders-apple) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)