One of the most common layers in a web applications is the authentication layer. Our app is no exception. For authentication, we are going to use JWT tokens as the way to authenticate users. Let’s see how it works.


JWT or Json Web Token is a string containing a hash that helps us authenticate users. Every token is constructed of 3 parts, like xxxxx.yyyyy.zzzzz. These three parts are: Header, Payload, and Signature. We won’t go into these three parts, because this is more about JWT and less about our application. You can read more about this here. Whenever a user logs in into our application, the server generates a token. Usually, the server includes information, like the username, in the token to be able to recognize the user later on. These tokens get signed by a secret key, so only the issuer (our application) can read the contents of the token. We are going to implement this behavior in our application.


In our app, we need to be able to generate a token for users when they sign up or login. We also need to create some middleware to authenticate users by the given token, so we know who’s connected to our server. We will be using the library to generate and parse JWT tokens.

Generating and Parsing JWT Tokens

We’ll create a new directory called pkg in the root of our application. You have seen that we’ve used internal for what we want to only be internally used within our app. The pkg directory is for files that could be imported anywhere in our application. JWT generation and validation scripts files like this.

There is a concept called “claims”. We’ll see more about it in rest of the section.

Let’s talk about what the code above does:

  • GenerateToken function will be used whenever we want to generate a token for a user. We save username in the token claims and set the token expiration time to 24 Hours later.
  • ParseToken function will be used whenever we receive a token and want to know who sent the request.

User SignUp and Login Functionality

Now we can generate a token for each user. Before generating a token for every user, we need to make sure the user exists in our database. To do this, we just need to query the database to match the user with the given username and password. When a user tries to register we need to insert the username and password in our database.

The Create function is much like the CreateLink function we saw earlier. Let’s break down the Authenticate code:

  • First we have a query to select the password from users table where username is equal to the username we got from the resolver.
  • We use QueryRow instead of Exec we used earlier; The difference is QueryRow() will return a pointer to a sql.Row.
  • Using .Scan method we fill the hashedPassword variable with the hashed password from database. Obviously you don’t want to save raw passwords in your database.
  • then we check if any user with the given username exists or not. If there isn’t a match, we return false. If we found a match, we check the user hashedPassword with the raw password given.(Notice that we save hashed passwords not raw passwords in database in line 23)

In the next part, we gather the tools we have to detect which user is using the app.

Authentication Middleware

Every time a request comes to our resolver, we need to know which user is sending the request. To accomplish this, we have to write middleware that’s executed before the request reaches the resolver. This middleware resolves the user from the incoming request and passes this on to the resolver.

We use this function to get user object with username in the authentication middeware.

And now let’s create our auth middleware. For more information visit gql authentication docs.

Now we can use the middleware we created in our server:

Next Chapter

Auth Endpoints

Enable Users to register, login and refresh their token

Go to next chapter