Craft CMS 5 - Auth and Session Management Facilities for Headless Mode

[mgambella]

I am reaching out to inquire about the upcoming features in Craft CMS 5, specifically in relation to headless mode. My primary concern revolves around the current state of authentication and user session management when using the REST API and/or GraphQL in headless mode. As it stands, these functionalities seem to be somewhat secondary compared to their counterparts in the standard (non-headless) mode.

This issue becomes particularly pronounced when integrating Craft Commerce in a headless setup. The gap in native support for robust auth and session management in headless mode is currently being filled by solutions like the GraphQL Authentication plugin. However, this feels more like a workaround rather than a holistic solution.

Given these points, I am eager to know whether Craft CMS 5 will introduce enhanced facilities for authentication and user session management in headless mode. Such improvements would significantly streamline the development process and enhance the overall security and user experience in headless deployments.

Looking forward to any insights or updates you can share on this topic.

[brandonkelly]

Craft 5 is focused on authoring and content modeling improvements, but we’re eager to improve headless authentication just as soon as v5 has shipped! We are keenly aware of the pain points, especially when it comes to Craft Commerce.

The high level plan is to create a JWT-based auth system, where JWTs could reference a user or a list of granted permissions, update permission checks to take that into account, and add an authentication layer to GraphQL so we can start adding user session-concerned endpoints, like cart management.

[mgambella]

Thank you very much for your response @brandonkelly: I am glad that you have a plan of a better headless auth for after Craft CMS 5 is shipped.
Instead, speaking of pain points, another issue that comes in my mind, related to headless auth and security in general, is the fact that Craft CMS and Craft Commerce use the same User entity for both administrative users and site members/customers/guest users. Since groups and permissions are set via a, sometimes long, list of checkboxes it may happen to misread them and assign elevated permissions to what should be less privileged users instead, just for example normal users should never be able to read other users data. Or, on the other way around, it happens that administrative users can add orders or other meaningless data to themselves: oftentimes this looks not ideal and even confusing to the admins…
Perhaps, there are also plans to implement different kinds of users: admins and members, strictly isolated in different database tables, so to speak?

[brandonkelly]

We haven’t ever discussed that, but my knee-jerk reaction is that it seems like it would be weird to have administrative users who aren’t allowed to do things that even publicly-registered users with no permissions can do.

Another approach that would be quite a bit simpler would be that we add a new event on cart creation, which would let you check if the current user has control panel access (for example), and prevent it from happening.