AuthOptions

AuthOptions

The AuthOptions define how authentication is managed.

Signature

interface AuthOptions {
  disableAuth?: boolean;
  tokenMethod?: 'cookie' | 'bearer';
  sessionSecret?: string;
  authTokenHeaderKey?: string;
  sessionDuration?: string | number;
  requireVerification?: boolean;
  verificationTokenDuration?: string | number;
}

Members

disableAuth

property
type:
boolean
default:
false

Disable authentication & permissions checks. NEVER set the to true in production. It exists only to aid certain development tasks.

tokenMethod

property
type:
'cookie' | 'bearer'
default:
'cookie'

Sets the method by which the session token is delivered and read.

  • ‘cookie’: Upon login, a ‘Set-Cookie’ header will be returned to the client, setting a cookie containing the session token. A browser-based client (making requests with credentials) should automatically send the session cookie with each request.
  • ‘bearer’: Upon login, the token is returned in the response and should be then stored by the client app. Each request should include the header ‘Authorization: Bearer ’.

sessionSecret

property
type:
string
default:
'session-secret'

The secret used for signing the session cookies for authenticated users. Only applies when tokenMethod is set to ‘cookie’.

In production applications, this should not be stored as a string in source control for security reasons, but may be loaded from an external file not under source control, or from an environment variable, for example.

authTokenHeaderKey

property
type:
string
default:
'vendure-auth-token'

Sets the header property which will be used to send the auth token when using the ‘bearer’ method.

sessionDuration

property
type:
string | number
default:
'7d'

Session duration, i.e. the time which must elapse from the last authenticted request after which the user must re-authenticate.

Expressed as a string describing a time span per zeit/ms. Eg: 60, '2 days', '10h', '7d'

requireVerification

property
type:
boolean

Determines whether new User accounts require verification of their email address.

If set to “true”, when registering via the registerCustomerAccount mutation, one should not set the password property - doing so will result in an error. Instead, the password is set at a later stage (once the email with the verification token has been opened) via the verifyCustomerAccount mutation.

verificationTokenDuration

property
type:
string | number
default:
'7d'

Sets the length of time that a verification token is valid for, after which the verification token must be refreshed.

Expressed as a string describing a time span per zeit/ms. Eg: 60, '2 days', '10h', '7d'