AuthOptions
AuthOptions
The AuthOptions define how authentication and authorization is managed.
interface AuthOptions {
disableAuth?: boolean;
tokenMethod?: 'cookie' | 'bearer' | ReadonlyArray<'cookie' | 'bearer'>;
cookieOptions?: CookieOptions;
authTokenHeaderKey?: string;
sessionDuration?: string | number;
sessionCacheStrategy?: SessionCacheStrategy;
sessionCacheTTL?: string | number;
requireVerification?: boolean;
verificationTokenDuration?: string | number;
superadminCredentials?: SuperadminCredentials;
shopAuthenticationStrategy?: AuthenticationStrategy[];
adminAuthenticationStrategy?: AuthenticationStrategy[];
customPermissions?: PermissionDefinition[];
passwordHashingStrategy?: PasswordHashingStrategy;
passwordValidationStrategy?: PasswordValidationStrategy;
}
disableAuth
boolean
false
Disable authentication & permissions checks. NEVER set the to true in production. It exists only to aid certain development tasks.
tokenMethod
'cookie' | 'bearer' | ReadonlyArray<'cookie' | 'bearer'>
'cookie'
Sets the method by which the session token is delivered and read.
- 'cookie': Upon login, a 'Set-Cookie' header will be returned to the client, setting a cookie containing the session token. A browser-based client (making requests with credentials) should automatically send the session cookie with each request.
- 'bearer': Upon login, the token is returned in the response and should be then stored by the
client app. Each request should include the header
Authorization: Bearer <token>
.
Note that if the bearer method is used, Vendure will automatically expose the configured
authTokenHeaderKey
in the server's CORS configuration (adding Access-Control-Expose-Headers: vendure-auth-token
by default).
From v1.2.0 it is possible to specify both methods as a tuple: ['cookie', 'bearer']
.
cookieOptions
Options related to the handling of cookies when using the 'cookie' tokenMethod.
authTokenHeaderKey
string
'vendure-auth-token'
Sets the header property which will be used to send the auth token when using the 'bearer' method.
sessionDuration
string | number
'1y'
Session duration, i.e. the time which must elapse from the last authenticated request after which the user must re-authenticate.
If passed as a number should represent milliseconds and if passed as a string describes a time span per
zeit/ms. Eg: 60
, '2 days'
, '10h'
, '7d'
sessionCacheStrategy
This strategy defines how sessions will be cached. By default, since v3.1.0, sessions are cached using
the underlying cache strategy defined in the SystemOptions.cacheStrategy
.
sessionCacheTTL
string | number
300
The "time to live" of a given item in the session cache. This determines the length of time that a cache entry is kept before being considered "stale" and being replaced with fresh data taken from the database.
If passed as a number should represent seconds and if passed as a string describes a time span per
zeit/ms. Eg: 60
, '2 days'
, '10h'
, '7d'
requireVerification
boolean
true
Determines whether new User accounts require verification of their email address.
If set to "true", the customer will be required to verify their email address using a verification token
they receive in their email. See the registerCustomerAccount
mutation for more details on the verification behavior.
verificationTokenDuration
string | number
'7d'
Sets the length of time that a verification token is valid for, after which the verification token must be refreshed.
If passed as a number should represent milliseconds and if passed as a string describes a time span per
zeit/ms. Eg: 60
, '2 days'
, '10h'
, '7d'
superadminCredentials
Configures the credentials to be used to create a superadmin
shopAuthenticationStrategy
Configures one or more AuthenticationStrategies which defines how authentication is handled in the Shop API.
adminAuthenticationStrategy
Configures one or more AuthenticationStrategy which defines how authentication is handled in the Admin API.
customPermissions
Allows custom Permissions to be defined, which can be used to restrict access to custom GraphQL resolvers defined in plugins.
passwordHashingStrategy
Allows you to customize the way passwords are hashed when using the NativeAuthenticationStrategy.
passwordValidationStrategy
Allows you to set a custom policy for passwords when using the NativeAuthenticationStrategy. By default, it uses the DefaultPasswordValidationStrategy, which will impose a minimum length of four characters. To improve security for production, you are encouraged to specify a more strict policy, which you can do like this:
Example
{
passwordValidationStrategy: new DefaultPasswordValidationStrategy({
// Minimum eight characters, at least one letter and one number
regexp: /^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]{8,}$/,
}),
}