Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How to use x-hasura-allowed-roles with webhooks

See original GitHub issue

Hello, I see there is some documentation on how to use ‘x-hasura-allowed-roles’ with JWT, but I can’t make it work with webhooks. My use case is that each user can have multiple roles, and that I would like to test each of the permissions defined in the console. Here is an example of the payload:

{
  "X-Hasura-Role": "user",
  "X-Hasura-User-Id": "an-user-id",
  "X-Hasura-Allowed-Roles": [
    "manager",
    "user"
  ]
}

In this case, I have an error “expected Text, encountered Array”. But even if I pass a stringified value such as "[manager,user]" or "[\"manager\",\"user\"]" the ‘manager’ permissions don’t apply… Can you tell me if it could work, and if it can, what would be the way to proceed? Thanks in advance!

Issue Analytics

State:
Created 5 years ago
Comments:6 (6 by maintainers)

Top GitHub Comments

3reactions

plmercereaucommented, Jan 31, 2019

Hello guys, I could not find a simple way to overload the JWT payload with the Hasura claims in loginsrv… The only way I think of would have been to create some kind of JWT proxy between the client and loginsrv, that would decrypt the JWT, add the claims, and generate a JWT - it wouldn’t make any sense then to use loginsrv anymore… So I created this small boilerplate inspired from your webhook passport boilerplate. I basically rewrote a basic auth server that stores user/password in a user table, roles in one another, and creates a many to many relationship through a user_role table. It creates the JWT and maps the roles into x-hasura-allowed-roles. There are of course a few limitations (those identified are detailed in the README), but I hope this will help. Please let me know it there is something I can do to make it useful to someone else.

1reaction

ecthiendercommented, Jan 20, 2019

Hi @plmercereau !

The idea is that your webhook is called on every request. Using the data sent by the client, it can resolve the role, per request.

In the case of JWT, the token is issued once the user is authenticated, and that token is used for all subsequent requests, hence it would need to have a list of possible roles for that authenticated user.

Did it make sense?

Top Results From Across the Web

Authentication using webhooks | Hasura GraphQL Docs

You can configure Hasura to run in webhook mode by running the GraphQL engine with the --auth-hook flag or the HASURA_GRAPHQL_AUTH_HOOK environment variable...

Hasura Authentication Explained - Medium

Let's take a look at auth flow for webhooks. Pass headers to Hasura ... Note: x-hasura-default-role and x-hasura-allowed-roles are mandatory.

How to map correctly to make `x-hasura-allowed-roles` field ...

I am trying to map appid into x-hasura-allowed-roles field as an item of an array by using claims_map in Hasura.

Customizing JWTs with webhooks · - OneGraph

It's common to also include the roles a user has so our app can apply the appropriate permissions and access rules. As a...

How to Build a Collaborative To-Do App - Hasura and ... - Auth0

Build a Collaborative Realtime Todo App Backend Using Hasura GraphQL ... logic to decide allowed roles "x-hasura-allowed-roles": ["user"], ...