Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
How authorisation works with x-hasura-allowed-roles
See original GitHub issueHello guys,
Digging a bit deeper in the authorisation mechanisms…
When sending x-hasura-allowed-roles as part of the JWT claims, it seems HGE only validates the permissions for x-hasura-default-role defined in the same token.
I suggest the permission is defined by the union of each allowed role. Without this I still don’t get the utility of this claim, and will be pleased to hear some explanation on how it works under the hood.
Many thanks in advance!
Issue Analytics
- State:
- Created 5 years ago
- Reactions:4
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Authorization / Access control | Hasura GraphQL Docs
Hasura supports role-based authorization where access control is done by creating rules for each role and operation. In the case of database tables,...
Read more >From Easy to Hard: The security in Hasura with Auth0 (II)
In the Hasura console we go to the Data tab, the employee table and the Permissions tab. We add a select permission to...
Read more >Can someone forge a request to Hasura GraphQL Engine by ...
The JWT itself, presented in the request header. Authorization: Bearer <token here> · x-hasura-role, presented in the request header (optional) x ...
Read more >Hasura Authentication Explained - Medium
Now, what about Authentication and what is the right authentication ... Note: x-hasura-default-role and x-hasura-allowed-roles are mandatory.
Read more >Using JWTs for GraphQL Authorization with Hasura - Auth0
These two keys define the possible roles as well as the default role in the absence of the "X-Hasura-Role" header. In the case...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Thanks @leoalves That’s very good to know, I didn’t get that we could then re-define the default role header. But basically you then still need to let the client decide ‘what role should I use for this query?’ instead of letting it send the query and then the server decides to process it according to the sum of the roles of the user. My point is that it can have major repercussions in the way you design your client, and you may end up in having an unnecessary layer of complexity, whereas we could have benefited from the hasura permission system which I find pretty elegant. I would love to see Hasura aggregating all the permissions from a set of user roles for each request!
For those who stumble on this, the header used to override the default role is
x-hasura-roleExample using Apollo: