setup netlify auth with yarn rw setup auth netlify

api/src/functions/graphql.js

@@ -8,7 +8,10 @@ import schemas from 'src/graphql/**/*.{js,ts}'
 import { db } from 'src/lib/db'
 import services from 'src/services/**/*.{js,ts}'
 
+import { getCurrentUser } from 'src/lib/auth'
+
 export const handler = createGraphQLHandler({
+  getCurrentUser,
   schema: makeMergedSchema({
     schemas,
     services: makeServices({ services }),

api/src/lib/auth.js

@@ -1,13 +1,54 @@
+
+import { AuthenticationError, ForbiddenError, parseJWT } from '@redwoodjs/api'
+
 /**
- * Once you are ready to add authentication to your application
- * you'll build out requireAuth() with real functionality. For
- * now we just return `true` so that the beforeResolver() calls
- * in services have something to check against, simulating a logged
- * in user that is allowed to access that service.
+ * getCurrentUser returns the user information together with
+ * an optional collection of roles used by requireAuth() to check
+ * if the user is authenticated or has role-based access
+ *
+ * @param decoded - The decoded access token containing user info and JWT claims like `sub`
+ * @param { token, SupportedAuthTypes type } - The access token itself as well as the auth provider type
+ * @param { APIGatewayEvent event, Context context } - An object which contains information from the invoker
+ * such as headers and cookies, and the context information about the invocation such as IP Address
  *
- * See https://redwoodjs.com/docs/authentication for more info.
+ * @see https://github.com/redwoodjs/redwood/tree/main/packages/auth for examples
  */
+export const getCurrentUser = async (decoded, { _token, _type }, { _event, _context }) => {
+  return { ...decoded, roles: parseJWT({ decoded }).roles }
+}
+
+/**
+ * Use requireAuth in your services to check that a user is logged in,
+ * whether or not they are assigned a role, and optionally raise an
+ * error if they're not.
+ *
+ * @param {string=} roles - An optional role or list of roles
+ * @param {string[]=} roles - An optional list of roles
+ * @returns {boolean} - If the currentUser is authenticated (and assigned one of the given roles)
+ *
+ * @throws {AuthenticationError} - If the currentUser is not authenticated
+ * @throws {ForbiddenError} If the currentUser is not allowed due to role permissions
+ *
+ * @see https://github.com/redwoodjs/redwood/tree/main/packages/auth for examples
+ */
+export const requireAuth = ({ role } = {}) => {
+  if (!context.currentUser) {
+    throw new AuthenticationError("You don't have permission to do that.")
+  }
+
+  if (
+    typeof role !== 'undefined' &&
+    typeof role === 'string' &&
+    !context.currentUser.roles?.includes(role)
+  ) {
+    throw new ForbiddenError("You don't have access to do that.")
+  }
 
-export const requireAuth = () => {
-  return true
+  if (
+    typeof role !== 'undefined' &&
+    Array.isArray(role) &&
+    !context.currentUser.roles?.some((r) => role.includes(r))
+  ) {
+    throw new ForbiddenError("You don't have access to do that.")
+  }
 }

web/package.json

@@ -13,11 +13,13 @@
     ]
   },
   "dependencies": {
+    "@redwoodjs/auth": "^0.33.0",
     "@redwoodjs/forms": "^0.32.2",
     "@redwoodjs/router": "^0.32.2",
     "@redwoodjs/web": "^0.32.2",
+    "netlify-identity-widget": "^1.9.1",
     "prop-types": "^15.7.2",
     "react": "^17.0.2",
     "react-dom": "^17.0.2"
   }
-}
+}

web/src/App.js

@@ -1,3 +1,6 @@
+import { AuthProvider } from '@redwoodjs/auth'
+import netlifyIdentity from 'netlify-identity-widget'
+import { isBrowser } from '@redwoodjs/prerender/browserUtils'
 import { FatalErrorBoundary } from '@redwoodjs/web'
 import { RedwoodApolloProvider } from '@redwoodjs/web/apollo'
 
@@ -7,11 +10,15 @@ import Routes from 'src/Routes'
 import './scaffold.css'
 import './index.css'
 
+isBrowser && netlifyIdentity.init()
+
 const App = () => (
   <FatalErrorBoundary page={FatalErrorPage}>
-    <RedwoodApolloProvider>
-      <Routes />
-    </RedwoodApolloProvider>
+    <AuthProvider client={netlifyIdentity} type="netlify">
+      <RedwoodApolloProvider>
+        <Routes />
+      </RedwoodApolloProvider>
+    </AuthProvider>
   </FatalErrorBoundary>
 )
 

yarn.lock

@@ -2113,6 +2113,11 @@
   resolved "https://registry.yarnpkg.com/@redwoodjs/auth/-/auth-0.32.2.tgz#57d0c460323267a97484446ce0bda794b3d6853d"
   integrity sha512-Fe5c/XmqRjIe5Udd8BtkRygvhD6ZQ4yJvXm4fV5LUNXTZ8oJCPFFqfbZmeQILxtjEJIVsD1vmVo6UntH3a1NFg==
 
+"@redwoodjs/auth@^0.33.0":
+  version "0.33.0"
+  resolved "https://registry.yarnpkg.com/@redwoodjs/auth/-/auth-0.33.0.tgz#ee255fae3ecd47d9c6ad6745e25191b10f1065e1"
+  integrity sha512-SukUAhd1TN3lR4hMNcR4HAZiJ77LY0O6eT2O8QAEvMJVTeWBHAU9OryVePFs9V0NJvrDRjZP60N33u8+l6vxNg==
+
 "@redwoodjs/cli@^0.32.2":
   version "0.32.2"
   resolved "https://registry.yarnpkg.com/@redwoodjs/cli/-/cli-0.32.2.tgz#e7c1203cadad7201fb0f04a025d0fc051b477786"
@@ -11456,6 +11461,11 @@ nested-error-stacks@^2.0.0, nested-error-stacks@^2.1.0:
   resolved "https://registry.yarnpkg.com/nested-error-stacks/-/nested-error-stacks-2.1.0.tgz#0fbdcf3e13fe4994781280524f8b96b0cdff9c61"
   integrity sha512-AO81vsIO1k1sM4Zrd6Hu7regmJN1NSiAja10gc4bX3F0wd+9rQmcuHQaHVQCYIEC8iFXnE+mavh23GOt7wBgug==
 
+netlify-identity-widget@^1.9.1:
+  version "1.9.1"
+  resolved "https://registry.yarnpkg.com/netlify-identity-widget/-/netlify-identity-widget-1.9.1.tgz#9e716c4b92b9f0cc041074eb86fc962f35295b46"
+  integrity sha512-9oIWjwUSdRk3SkREcZNjZaVuDDx9T/wSIXZNQsQeY4qoXic/FiXVEGgu2RU3IuA4OI3L2652xY1o+PpS03Ugaw==
+
 new-github-issue-url@^0.2.1:
   version "0.2.1"
   resolved "https://registry.yarnpkg.com/new-github-issue-url/-/new-github-issue-url-0.2.1.tgz#e17be1f665a92de465926603e44b9f8685630c1d"