Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Allow unsigned (alg: none) JWT tokens

See original GitHub issue

I’m using the firebase auth emulator for local development which produces unsigned tokens. I’m running the firebase auth emulator and hasura (v1.3.3) locally using docker. It seems that hasura views the unsigned tokens using the recommended HASURA_GRAPHQL_JWT_SECRET for firebase as invalid. When I remove the HASURA_GRAPHQL_JWT_SECRET, all requests are defaulted to the anonymous role, which doesn’t represent the actual role of the user from the unsigned token.

Is there a flag to allow using unsigned JWT tokens for development purposes? Or am I missing something with my configuration?

Hasura has been a major productivity boost for me! Just having this small issue setting up my local environment

Issue Analytics

State:
Created 3 years ago
Reactions:23
Comments:14 (1 by maintainers)

Top GitHub Comments

20reactions

Rykunocommented, Jan 19, 2021

I also just ran into this issue. I would agree in having the none option on Hasura’s JWT secret for local testing and development. Does anyone know a work around for this in the meanwhile?

Update Here is my current work around. I’m using Apollo with NextJS and I just added some middleware to handle the checking of environments. If the environment is local(where I’m using firebase emulator), it signs the token on request.

// Generate a signed token for the request
// since firebase auth emulator tokens are unsigned
const getLocallySignedToken = token => {
  return jwt.sign(jwt.decode(token), "secret");
};

// condition for signing the token
const isLocalEnvironment = () => {
  return location.hostname === "localhost";
};

//middleware to apply signed token on request
const authMiddleware = new ApolloLink((operation, forward) => {
  // add the authorization to the headers
  const token = getAuthToken();
  operation.setContext(() => ({
    headers: token
      ? {
          Authorization: `Bearer ${
            isLocalEnvironment() ? getLocallySignedToken(token) : token
          }`
        }
      : { "X-Hasura-Role": `anonymous` }
  }));
  return forward(operation);
});

Remember to set the secret to use a key instead of the firebase JWK

HASURA_GRAPHQL_JWT_SECRET='{"type":"HS256", "key": "secret"}'

I would still LOVE a type of none on the HASURA_GRAPHQL_JWT_SECRET though 😃.

8reactions

jamesknelsoncommented, Jan 5, 2021

@tirumaraiselvan Yes, it appears the algorithm is none, which doesn’t appear to be specified in the JWT standard, but it’d be super handy if Hasura could support. This would allow for completely local development - without touching a remote auth server at all.

Here’s a dump of one of the tokens produced by the mentioned auth emulator:

Headers:

{
  "alg": "none",
  "typ": "JWT"
}

Full payload:

{
  "aud": "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
  "iat": 1609857856,
  "exp": 1609861456,
  "iss": "firebase-auth-emulator@example.com",
  "sub": "firebase-auth-emulator@example.com",
  "uid": "yRdKtVuhWFShAUm43oT9HhpGMNid",
  "claims": {
    "https://hasura.io/jwt/claims": {
      "...": "..."
    }
  }
}

Given that the token has an issuer and audience, it may be possible to allow a “type” of “none” only when one (or both) of these are specified.