Skip to content

feat: add cookie-based authentication support #663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pyramation wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: add cookie-based authentication support #663

pyramation wants to merge 5 commits into from
+2,836 −7,029

Conversation

@pyramation
Copy link
Contributor

@pyramation pyramation commented Jan 27, 2026
edited by devin-ai-integration bot
Loading

feat: add cookie-based authentication support

Summary

This PR adds optional cookie-based authentication to the GraphQL server, with settings loaded dynamically from the database rather than static configuration.

Key changes:

  • SuperTestAdapter (graphql-server-test): New adapter that wraps SuperTest for HTTP-based testing with automatic cookie jar support, enabling SDK-based cookie auth testing
  • Database-driven auth settings (graphql-server): Auth middleware queries auth_settings() from the RLS module's private schema to determine if cookie auth is enabled, with results cached per service key for 1 hour
  • Auth settings cache: New authSettingsCache using LRUCache to avoid per-request database queries
  • cookie-parser: Added as a dependency and integrated into the server middleware stack

When cookie auth is enabled in the database, the auth flow is:

  1. Check for session cookie → validate via existing authFn
  2. If no cookie or invalid, fall back to Bearer token auth
  3. If enable_cookie_auth is false or query fails, only Bearer token auth is used

Updates since last revision

  • Dynamic schema name: Now uses rlsModule.privateSchema.schemaName instead of hardcoding constructive_auth_private - same pattern as the authenticate function
  • Fetch all auth settings: The AuthSettings interface now includes all app_auth_settings columns (CSRF, session durations, password policies, etc.) for future use
  • Added DEFAULT_AUTH_SETTINGS constant with sensible fallback values
  • Companion PR: Requires constructive-db PR #448 which adds the enable_cookie_auth column to app_auth_settings table

Review & Testing Checklist for Human

  • Verify companion PR is merged first: This PR depends on constructive-db PR fix function job, add more logs in middleware #448 adding the enable_cookie_auth column. The server will gracefully default to false if the column doesn't exist, but cookie auth won't work.
  • Verify auth_settings() function exists: The middleware queries "${privateSchemaName}".auth_settings() - confirm this function exists in the RLS module's private schema and returns the expected columns
  • Review hardcoded cookie name: SESSION_COOKIE_NAME = 'session' is hardcoded - confirm this matches expected cookie name in constructive-db
  • Verify cache behavior: Auth settings are cached for 1 hour per service key. Confirm this TTL is acceptable, or if cache invalidation on setting change is needed.

Recommended test plan:

  1. Merge constructive-db PR fix function job, add more logs in middleware #448 first
  2. Set enable_cookie_auth = true in app_auth_settings for a test database
  3. Link this branch to constructive-db using pnpm link
  4. Write a test that signs in via SDK mutation and verifies subsequent requests are authenticated via cookie
  5. Verify bearer token auth still works when enable_cookie_auth = false

Notes

  • The pnpm-lock.yaml has large formatting changes (YAML style normalization) that obscure the actual dependency additions
  • Cookie auth silently falls through to bearer auth on failure - this is intentional to support mixed auth scenarios
  • If the auth_settings() query fails (e.g., function doesn't exist), the middleware logs a debug message and defaults to enableCookieAuth: false
  • All auth settings properties are now fetched and cached, but only enableCookieAuth is currently used - others are available for future middleware enhancements
  • There's duplicate buildContext logic between auth.ts and graphile.ts that could be extracted to a shared utility in a follow-up

Link to Devin run: https://app.devin.ai/sessions/15f2361412c346e6af808078720ad575
Requested by: Dan Lynch (@pyramation)

@pyramation
feat: add cookie-based authentication support
718cab9 
- Add SuperTestAdapter to graphql-server-test for HTTP testing with cookie support
- Add enableCookieAuth flag to ApiOptions (defaults to false for backward compatibility)
- Implement cookie auth middleware in graphql-server
- Add cookie-parser middleware to server
- Cookie auth checks for 'session' cookie and validates against session_credentials

When enableCookieAuth is true, the server will:
1. First check for a session cookie
2. Fall back to Bearer token authentication
3. Maintain backward compatibility when disabled
@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Jan 27, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@pyramation
chore: update snapshot for enableCookieAuth field
7b3f29b
@pyramation
refactor: use database-driven auth settings instead of static flag
93d7318 
- Add authSettingsCache to cache auth settings per service key
- Query enable_cookie_auth from constructive_auth_private.auth_settings()
- Remove static enableCookieAuth from ApiOptions
- Settings are loaded once per database/API and cached for 1 hour
@pyramation
fix: update snapshot after removing enableCookieAuth from ApiOptions
32f5cbf
@pyramation
refactor: use dynamic schema name and fetch all auth settings properties
0b3a319 
- Use rlsModule.privateSchema.schemaName instead of hardcoded schema
- Fetch all app_auth_settings properties (CSRF, session durations, etc.)
- Add DEFAULT_AUTH_SETTINGS constant for fallback values
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pyramation