AuthOptions

Package: @vendure/core File: vendure-config.ts

The AuthOptions define how authentication is managed.

Signature

interface AuthOptions {
  disableAuth?: boolean;
  tokenMethod?: 'cookie' | 'bearer';
  sessionSecret?: string;
  authTokenHeaderKey?: string;
  sessionDuration?: string | number;
  requireVerification?: boolean;
  verificationTokenDuration?: string | number;
}

Members

disableAuth

property

type:

boolean

default:

false

Disable authentication & permissions checks. NEVER set the to true in production. It exists only to aid certain development tasks.

tokenMethod

property

type:

'cookie' | 'bearer'

default:

'cookie'

Sets the method by which the session token is delivered and read.

‘cookie’: Upon login, a ‘Set-Cookie’ header will be returned to the client, setting a cookie containing the session token. A browser-based client (making requests with credentials) should automatically send the session cookie with each request.
‘bearer’: Upon login, the token is returned in the response and should be then stored by the client app. Each request should include the header ‘Authorization: Bearer ’.

sessionSecret

property

type:

string

default:

'session-secret'

The secret used for signing the session cookies for authenticated users. Only applies when tokenMethod is set to ‘cookie’.

In production applications, this should not be stored as a string in source control for security reasons, but may be loaded from an external file not under source control, or from an environment variable, for example.

authTokenHeaderKey

property

type:

string

default:

'vendure-auth-token'

Sets the header property which will be used to send the auth token when using the ‘bearer’ method.

sessionDuration

property

type:

string | number

default:

'7d'

Session duration, i.e. the time which must elapse from the last authenticted request after which the user must re-authenticate.

Expressed as a string describing a time span per zeit/ms. Eg: 60, '2 days', '10h', '7d'

requireVerification

property

type:

boolean

Determines whether new User accounts require verification of their email address.

If set to “true”, when registering via the registerCustomerAccount mutation, one should not set the password property - doing so will result in an error. Instead, the password is set at a later stage (once the email with the verification token has been opened) via the verifyCustomerAccount mutation.

verificationTokenDuration

property

type:

string | number

default:

'7d'

Sets the length of time that a verification token is valid for, after which the verification token must be refreshed.

Expressed as a string describing a time span per zeit/ms. Eg: 60, '2 days', '10h', '7d'