reactioncommerce / api-plugin-authentication Goto Github PK

Using version v2.2.2 seems to have an install issue. The npm install phase will run normally, however when Reaction starts, fails to load. Perhaps a peer-depdendency is missing.

Error: Cannot find module '@accounts/magic-link'
  Require stack:
  - /reaction-core/node_modules/@reactioncommerce/api-plugin-authentication/node_modules/@accounts/graphql-api/lib/modules/accounts-magic-link/index.js
      at Function.Module._resolveFilename (node:internal/modules/cjs/loader:924:15)
      at Function.Module._load (node:internal/modules/cjs/loader:769:27)
      at Module.require (node:internal/modules/cjs/loader:996:19)
      at require (node:internal/modules/cjs/helpers:92:18)
      at Object.<anonymous> (/reaction-core/node_modules/@reactioncommerce/api-plugin-authentication/node_modules/@accounts/graphql-api/lib/modules/accounts-magic-link/index.js:7:22)
      at Module._compile (node:internal/modules/cjs/loader:1092:14)
      at Object.Module._extensions..js (node:internal/modules/cjs/loader:1121:10)
      at Module.load (node:internal/modules/cjs/loader:972:32)
      at Function.Module._load (node:internal/modules/cjs/loader:813:14)
      at Module.require (node:internal/modules/cjs/loader:996:19)

In order to refresh an expired access token, the accounts js schema provides the refreshTokens mutation. The problem is that before the request for refreshing the auth token can be executed by accountsjs, the flow goes through a middleware that gets the user for the session if the authorization header is present:

• api-plugin-authentication/src/util/tokenMiddleware.js

  Line 28 in 9ed0687

  req.user = await getUserFromAuthToken(token);

From the client-side there is no easy way to make refreshTokens request without adding the Authorization header (The accountsjs client automatically adds the header) and the solution to this problem is to introduce a change in the authentication plugin.

Currently, we have the following scenario:
When we have an expired access token and a valid refresh token, we make a refreshTokens request.
The expired access token is added to the headers non the less

The refreshing fails because the request fails even before it had reached the accountsjs logic for refreshing.
The correct workflow should be as follows:

If the provided Authorization header is expired, proceed with the execution of the code as if no header was added. In other words, it should skip the provided token in the Authorization header before it tries to get the user session.

When shifting from dev to prod mode in local, because of different secret, the session is lost and the authentication fails.

This plugin was originally created as plugin-authentication, but the name has been updated to include the api prefix.

We need to deprecate the original package on npm.

After some discussion, we've decided to prefix our API plugins with the work api.

This plugin needs to be updated to be api-plugin-authentication

Reaction has a .nvmrc with node 14.11.0 which does not support named exports.

Solution: bump version in main package