New: Headless Commerce with Remix! read more

Product

Features

A tour of the core Vendure features

Case studies

How Vendure is being used in real-world projects

Plugins

Official & community plugins

Integrations

Storefronts, payments, infrastructure. Compose your commerce stack

Demo
Live

Try our live Vendure demo now!

Roadmap

Services

Support

View our paid support plans

Partners

Our network of partners

Developers

Documentation

Get started in 5 minutes!

Blog

News and technical articles

AuthOptions

AuthOptions

Package: @vendure/core File: vendure-config.ts

The AuthOptions define how authentication and authorization is managed.

Signature

interface AuthOptions {
  disableAuth?: boolean;
  tokenMethod?: 'cookie' | 'bearer' | ReadonlyArray<'cookie' | 'bearer'>;
  cookieOptions?: CookieOptions;
  authTokenHeaderKey?: string;
  sessionDuration?: string | number;
  sessionCacheStrategy?: SessionCacheStrategy;
  sessionCacheTTL?: number;
  requireVerification?: boolean;
  verificationTokenDuration?: string | number;
  superadminCredentials?: SuperadminCredentials;
  shopAuthenticationStrategy?: AuthenticationStrategy[];
  adminAuthenticationStrategy?: AuthenticationStrategy[];
  customPermissions?: PermissionDefinition[];
  passwordHashingStrategy?: PasswordHashingStrategy;
  passwordValidationStrategy?: PasswordValidationStrategy;
}

Members

disableAuth

property
type:
boolean
default:
false
Disable authentication & permissions checks. NEVER set the to true in production. It exists only to aid certain development tasks.

tokenMethod

property
type:
'cookie' | 'bearer' | ReadonlyArray<'cookie' | 'bearer'>
default:
'cookie'

Sets the method by which the session token is delivered and read.

  • ‘cookie’: Upon login, a ‘Set-Cookie’ header will be returned to the client, setting a cookie containing the session token. A browser-based client (making requests with credentials) should automatically send the session cookie with each request.
  • ‘bearer’: Upon login, the token is returned in the response and should be then stored by the client app. Each request should include the header Authorization: Bearer <token>.

Note that if the bearer method is used, Vendure will automatically expose the configured authTokenHeaderKey in the server’s CORS configuration (adding Access-Control-Expose-Headers: vendure-auth-token by default).

From v1.2.0 it is possible to specify both methods as a tuple: ['cookie', 'bearer'].

cookieOptions

property
type:
CookieOptions
Options related to the handling of cookies when using the ‘cookie’ tokenMethod.

authTokenHeaderKey

property
type:
string
default:
'vendure-auth-token'
Sets the header property which will be used to send the auth token when using the ‘bearer’ method.

sessionDuration

property
type:
string | number
default:
'1y'

Session duration, i.e. the time which must elapse from the last authenticated request after which the user must re-authenticate.

Expressed as a string describing a time span per zeit/ms. Eg: 60, '2 days', '10h', '7d'

sessionCacheStrategy

property
type:
SessionCacheStrategy
default:
InMemorySessionCacheStrategy
This strategy defines how sessions will be cached. By default, sessions are cached using a simple in-memory caching strategy which is suitable for development and low-traffic, single-instance deployments.

sessionCacheTTL

property
type:
number
default:
300
The “time to live” of a given item in the session cache. This determines the length of time (in seconds) that a cache entry is kept before being considered “stale” and being replaced with fresh data taken from the database.

requireVerification

property
type:
boolean
default:
true

Determines whether new User accounts require verification of their email address.

If set to “true”, when registering via the registerCustomerAccount mutation, one should not set the password property - doing so will result in an error. Instead, the password is set at a later stage (once the email with the verification token has been opened) via the verifyCustomerAccount mutation.

verificationTokenDuration

property
type:
string | number
default:
'7d'

Sets the length of time that a verification token is valid for, after which the verification token must be refreshed.

Expressed as a string describing a time span per zeit/ms. Eg: 60, '2 days', '10h', '7d'

superadminCredentials

property
type:
SuperadminCredentials
Configures the credentials to be used to create a superadmin

shopAuthenticationStrategy

property
type:
AuthenticationStrategy[]
default:
NativeAuthenticationStrategy
Configures one or more AuthenticationStrategies which defines how authentication is handled in the Shop API.

adminAuthenticationStrategy

property
type:
AuthenticationStrategy[]
default:
NativeAuthenticationStrategy
Configures one or more AuthenticationStrategy which defines how authentication is handled in the Admin API.

customPermissions

property
type:
PermissionDefinition[]
default:
[]
Allows custom Permissions to be defined, which can be used to restrict access to custom GraphQL resolvers defined in plugins.

passwordHashingStrategy

property
v1.3.0
type:
PasswordHashingStrategy
default:
BcryptPasswordHashingStrategy
Allows you to customize the way passwords are hashed when using the NativeAuthenticationStrategy.

passwordValidationStrategy

property
v1.5.0
type:
PasswordValidationStrategy
default:
DefaultPasswordValidationStrategy

Allows you to set a custom policy for passwords when using the NativeAuthenticationStrategy. By default, it uses the DefaultPasswordValidationStrategy, which will impose a minimum length of four characters. To improve security for production, you are encouraged to specify a more strict policy, which you can do like this:

Example

{
  passwordValidationStrategy: new DefaultPasswordValidationStrategy({
    // Minimum eight characters, at least one letter and one number
    regexp: /^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]{8,}$/,
  }),
}
Generated on Jul 5 2022 at 11:03