GraphQL

Apollo GraphQL Grants

Because we need to set and check Grants (LunaDefend's token specific permissions), the server needs to know what fields are tokens. We provide a schema directive to make this straightforward. Behind the scenes, the directive calls the Dedicated Tokenizer. If there is a problem with the session or the Grant, it will throw an error that Apollo will handle and send to the client.

Automatically create and verify token grants for any field with the @token directive.

const server = new ApolloServer({
  schemaDirectives: {token: lunaSec.tokenDirective}, // our initialized instance of the @lunasec/node-sdk
  // ... other apollo options
});

Here's an example schema that has the @token directive. Note that both input fields and normal fields should be decorated with the @token directive. Don't forget to decorate every field that contains a token, or it could be vulnerable. Arrays of tokens are supported.

const typeDefs = gql`
    directive @token(duration: String) on FIELD_DEFINITION | INPUT_FIELD_DEFINITION
    
    type Query {
        getFormData: FormData
    }
    
    type FormData {
        text_area: String @token(duration: "5m30s")
        email: String @token
        insecure_field: String
        files: [String] @token # @token directive also works on arrays of tokens
    }
    
    type Mutation {
     setFormData(formData: FormDataInput): FormData
    }
    
    input FormDataInput {
        email: String @token
        insecure_field: String
        text_area: String @token
        files: [String] @token
    }

`;

Passing a custom grant duration is optional, just make sure it is below the maximum set in your Tokenizer Backend's configuration.

Apollo GraphQL Grants​

Automatically create and verify token grants for any field with the @token directive.​

Apollo GraphQL Grants

Automatically create and verify token grants for any field with the @token directive.