I’m a bit concerned about development mode and Netlify Identity. I didn’t think development mode meant “all bets are off”, especially when only intending to use development mode for the frontend.
I’m working on something that will be a little like running Jupyter Notebook on your own computer. Like Jupyter Notebook, I want users to be required to log in even on their local computer.
With Netlify Identity there is no jwt verification without Netlify Functions. In development and test mode, it decodes the jwt rather than verifying it. It can’t verify it because the secret needed to verify it isn’t available.
I think there should be a huge warning in development mode when there is a configuration where the local GraphQL endpoint can’t verify the token. Luckily there already is a huge warning that Redwood is pre-1.0.
Another use case besides a Jupter Notebook type thing, is with something like ngrok or localtunnel.
A sort of local mode could be made that would verify it, but it would need to call a Netlify Functions endpoint from the app to verify each token. Actually, I think that is doable with getCurrentUser in the graphql function. The local graphql’s getCurrentUser
function could call the remote Netlify Functions graphql’s getCurrentUser
using the token in the request. It could then cache it to memory or to disk (probably best to only cache the sub
and roles
and not the email
for privacy reasons, which would mean the app would need to work without the email
).
This gets to another issue which I might go straight to GitHub issues for once I gather a bit more info: in order to associate a Netlify login with a user account, I need the sub
. I think it’s in the clientContext
of the lambda function but not under the user
key, and only the user
key is passed onto getCurrentUser
.