Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Hasura doesn't forward Set-Cookie headers set by remote schemas

See original GitHub issue

Hasura should forward Set-Cookie headers back to the client that are set in Remote Schemas, so that the consumer of the GraphQL API receives them.

  • In order to use cookie-based authentication with Hasura, we need to make sure Cookie: headers are successfully passed to the GraphQL endpoint, so our auth webhook can extract useful information and pass in X-Hasura-* headers back to Hasura.
  • One of the primary reasons to use cookies is the HttpOnly flag, which prevents against vendor javascript running on the same page from stealing our sessions.
  • If Set-Cookie: headers don’t come from the same origin as Hasura, something like credentials: 'include' is necessary for cookies to actually be included in GraphQL requests, at least over HTTP (Queries and Mutations).
  • Unfortunately, WebSockets don’t seem to have any ability to credentials: 'include' and simply will not pass cookies from different origins no matter what, which means that there is currently no way to use http-only cookie-based authentication and subscriptions at the same time with Hasura.
  • Manually adding the Cookie: header to the WebSocket client could be an option, but we lose the ability to use HttpOnly cookies as client-side javascript would be required to parse them to build this header.
  • This also allows a cleaner front-end coding experience; all calls can be done via GraphQL.

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:2
  • Comments:23 (12 by maintainers)

github_iconTop GitHub Comments

2reactions
weyertcommented, Apr 14, 2020

@campie I was wondering if you have an example of cookie auth via auth webhook like you described?

1reaction
sastraxicommented, Mar 5, 2019

Gotcha. Here’s some thoughts:

  1. It’s unfortunate that this wouldn’t work over ws, but I’m not sure I follow why this is an issue; the auth webhook is transport-dependent as well, isn’t it? Seems like documentation is the way to solve this part (and something I’d be happy to contribute via PR).

Your second point is interesting. Multiple Set-Cookie headers are absolutely fine in an HTTP response; however, there may be clashes if they share the same cookie name. RFC 6265 says:

Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name. (See Section 5.2 for how user agents handle this case.) (https://tools.ietf.org/html/rfc6265#section-4.1.1)

The suggested client behaviour can be found in Section 5.3. My interpretation of the algorithm in this section is that later Set-Cookie headers with the same cookie-name should override earlier ones in the client’s cookie store. My suggestion is that the headers should be returned in the same order as the client sent them in, in order to allow developers to express ordering via the mutation / query they send to Hasura. Given the different specs for different headers, a whitelist of proxy-able headers probably makes sense to make sure Hasura can properly merge / overwrite depending on whether multiple versions of the same response header are allowed in the spec.

So in your example, both Set-Cookie headers would be passed back to the GraphQL client; this behaviour is consistent with the Set-Cookie RFC.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Forwarding auth context to/from remote schemas - Hasura
Hasura will forward the resolved x-hasura-* values as headers to your remote schema. You can use this information to apply authorization rules in...
Read more >
How to send cookies using Hasura - Stack Overflow
The Set Cookie header has to be the response from the Django authentication service, if both services are running in localhost, the Browser...
Read more >
Rust Server That Functions As A Remote Schema for Hasura - Morioh
This is an example of a Rust server that functions as a remote schema for Hasura. User login + signup, JWT authorization w/...
Read more >
Source - GitHub
Hasura GraphQL Engine Changelog :warning: This file is deprecated and ... same URL path but different method - server: forward Set-Cookie headers from...
Read more >
Configuring CORS - Apollo GraphQL Docs
Any request that sets the Content-Type header to application/json (or anything other than a list of three particular values) cannot be a simple...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Upsert mutation with default ids?

Next page

Error connecting to postgresql instance on Azure