JWT Auth Strategy

[thecaffeinatedengineer]

Hi @adrien2p,

Thanks for the amazing work you are doing on Medusa.

Is there a plan to add a JWT strategy? This will allow seamless integration of medusa into other systems.

[adrien2p]

Hi @ianchikwature , could you explain me your need with a bit more details please. Medusa is using a jwt strategy and before going any further i would like to be sure to understand your needs

[thecaffeinatedengineer]

Hi @adrien2p ,

Thanks for getting back to me.

I was under the impression that Medusa only uses cookies for auth. From looking at the docs in the Auth session, it only mentions Cookie Sessions. However when I look in the server api, there is a JWT_SECRET env variable.

How do I enable the server to start returning and accepting JWT's as the authentication method ? At the moment when I log in, the server only returns the user details and sets the cookie.

Regarding the requirements, my plan is to integrate medusa in an existing microservices system that uses passport-jwt. I was hoping that if the JWT_SECRET is the same. We can leverage medusa's auth to create the users and then the other services will be able to recognise the users.

Thanks.

[adrien2p]

In that case I think that you should use the api key system for service to service wdyt?

[thecaffeinatedengineer]

@adrien2p Thanks, yea that's how I am planning to do service to service invocation, however there would be some instances that I want the user to call a service directly and I would need the service to recognise the user something like this 'jwt.claims.user_id': req.user ? req.user.id : undefined,.

Is this possible at the moment ? If not how do I go about implementing that ?

[gadcam]

Hello @adrien2p,

Would not this be useful in the case where an user is already logged in on the same domain with a JWT ?
I would like to achieve this so that we could automatically create user accounts on Medusa end and log them without any password.

I would imagine something looking like this

export class JWTStrategy extends PassportStrategy {
  async authenticate(req, options) {
    const token = req.headers.authorization?.split(' ')[1];

    if (!token) {
      throw new Error('No token provided');
    }

    try {
      const decoded = jwt.verify(token, process.env.DOMAIN_WIDE_JWT_SECRET);
      const userService = req.scope.resolve('userService') as UserService;
      let user = await userService.retrieveByEmail(decoded.email);

      if (!user) {
        user = await userService.create({
          email: decoded.email,
          first_name: decoded.name.givenName,
          last_name: decoded.name.familyName,
        });
      }

      return { user };
    } catch (error) {
      throw new Error('Invalid token');
    }
  }
}

If you think it is worth developping do not hesitate to give me a few hints on where to look so that I add this to the current plugin.

As a sidenote in my case the source of the JWT is NOT capable to be a real Identity Provider and so using an Oauth2 strategy is not an option.