Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Allow whitelisted session variables to be passed through HTTP headers
See original GitHub issueCurrently all X-Hasura-* HTTP headers are filtered and not available to to be used in column presets or permission checks. This means that switching between organizations in the example use case in the docs requires to either use webhook based auth or to get a new the JWT each time the user switches to a different organization.
I discussed this briefly with @coco98 on Discord and he mentioned this is for security reasons. I do understand the reasoning but don’t think it should apply to all headers. Enforcing that the user only acts on behalf of allowed organization is still possible. Similarly, there are probably plenty of use cases where it the information passed via a HTTP header has nothing to do with auth (I’m thinking of things such as passing the client version, A/B experiment logging etc.).
Would it be possible to whitelist certain headers to be used as session variables?
Issue Analytics
- State:
- Created 5 years ago
- Reactions:53
- Comments:40 (8 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thank you everyone for your interest in this feature and for sharing more information on your use-cases.
We would like to inform you that this is on our roadmap but we do not have a timeline at present. Meanwhile, you can use this workaround by @magus though we understand that it is cumbersome and might not work for your particular use-case.
Please continue to follow this Github issue. We plan to publish on this issue an RFC and welcome more detailed feedback from you once we provide those details.
Hey, I also have a use case for this.
I have a public API which serves localized content. I would like to pass X-Hasura-Language as a header and then use it from session variables to return localized content to the user. In the case of authenticated users, I am able to save this in the JWT. This also has downsides since user will need to issue new jwt tokens if they change their language. In this use case it would be nice if the client can freely set this header to any language they wish.