I am looking to understand if my following statement is te correct way to implement authorization using sanctum with graphql:
Now for the tricky part, once I create a login mutation, I need to verify that the user has the corresponding role and generate a token ability based on that check, also when the app goes offline or enters PWA mode.
I need to revoke any tokens abilities with:
- update I couldn't find in the docs any solutions to this problem, that is a real-world necessity. I can only leave the show and index abilities active.
My idea is like this:
Create a custom arg resolver for the mutation somehow bring the middleware and generate a token based on roles.
The verification will be made server-side than issue a token with abilities.
Bad idea: To store the role with the token.
So the real solution is this and I don't care how many people will argue because in reality security is very important and should be handled by experts in the field. That being said paseto is and will remain a real option if we can build it.
Why paseto read this post from a security expert that works with this every day.
So this is the answer.
Thanks for reading.