Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

access control: how to use "_in" with x-hasura-allowed-roles or other session variables in permissions

See original GitHub issue

version: alpha34

Here is my jwtoken:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwczovL2hhc3VyYS5pby9qd3QvY2xhaW1zIjp7IngtaGFzdXJhLWFsbG93ZWQtcm9sZXMiOlsiYWRtaW4iLCJ1c2VyIl0sIngtaGFzdXJhLWRlZmF1bHQtcm9sZSI6InVzZXIiLCJ4LWhhc3VyYS11c2VyLWlkIjoiMSJ9LCJpYXQiOjE1NDY2MDY5MzR9.-dfaH0ZG8gXbSMUn_m8LMkKdEdAk7NauqQqhI_yBnS0

which payload in clear is:

{
  "https://hasura.io/jwt/claims": {
    "x-hasura-allowed-roles": [
      "admin",
      "user"
    ],
    "x-hasura-default-role": "user",
    "x-hasura-user-id": "1"
  },
  "iat": 1546606934
}

In the console, permission tab, I’m setting this: screenshot from 2019-01-04 16-28-34

{"role":{"_in":["X-HASURA-ALLOWED-ROLES"]}}

But obviously it dosn’t work.

On the other hand, using {"role":{"_eq":["X-HASURA-ROLE"]}} works (but if user has multiple roles, using this permission only get me back data for the current role. I’d like to get data related to all user roles).

I’m I missing something on how to use arrays? Many Thanks!

Issue Analytics

State:
Created 5 years ago
Reactions:2
Comments:8 (3 by maintainers)

Top GitHub Comments

7reactions

sulliwanecommented, Jan 7, 2019

Thanks a lot. I think array support in JWT/HEADERS could be very useful (especially to simplify overall design and logic in some cases). I already upvoted the related issue.

I had a look at your example (thanks for deploying it!), and that’s also a very good way to solve this problem. It requires though to add one join table with corresponding relationships for each extra table that needs control access (if my understanding is correct). But why not.

Access Control is a Pandora Box and there isn’t any silver bullet (especially when developing a one size fits all approach). Keep up the good work! 😃

2reactions

pilattecommented, Jun 22, 2019

For string columns you can send "X-Hasura-Variable":(${IdArray.join("|")}) Then restrict

{
    id: _similar: "X-Hasura-Variable"
}

It is a REGEX-like. id1 will match (id1|id2|id3) but not id4 Only works for strings tho.

check issue #1333 to see the advancement on this.

Top Results From Across the Web

Authorization / Access control | Hasura GraphQL Docs

These access control rules use dynamic session variables that are passed to the GraphQL engine from your authentication service with every request.

Configuring user access control and permissions

Go to Windows Admin Center Settings > Access and use the toggle switch to turn on "Use Azure Active Directory to add a...

Define permissions to access AWS resources based on tags

When you use tags to control access to your AWS resources, you allow your teams ... For more information, see IAM tutorial: Use...

Permissions - Nhost Docs

The GraphQL API is protected by a role-based permission system. ... These permission variables are automatically added to users' access tokens.

Role-based Access Control: an Overview

-The Economic Impact of Role-Based Access Control ... assign a security clearance to each ... Object Permissions. ☆ Operation Permissions. ◇ Sessions.