Configuration management (CM) Configuration management is a systems engineering process for establishing and maintaining consistency of a product’s performance, functional, and physical attributes…
As you may know from various other blog posts found on blog.hasura.io, Hasura supports various types of authentication and in the following blog post I want to lay out what are your authentication options when using Hasura in production.
We will talk about the following things:
When creating a new instance of Hasura engine, you’ve probably seen Secure your endpoint on top of the console:
So now if you try to access the console, you will get a simple “login” page that will ask you to specify your secret
So that is not an actual authentication. That’s just securing your endpoint. Now, what about Authentication and what is the right authentication method for you?
You may want to use Firebase, Auth0, Firebase Functions, Cognito, Your custom auth server, some unknown auth provider e.t.c
So before looking at different Auth implementations and having lots of blog posts links and sample apps down below, let’s divide our authentication type to two major types
So what is a Webhook? In a nutshell, whenever you set a specific environment variable for Hasura engine, that includes custom URL, all request headers (unless your webhook is configured to use GET) will be passed to this custom URL. In your Auth webhook, you can do whatever you want and it must return either 200
or 401
status codes. Along with 200
status code, you send a bunch of variables prefixed by X-HASURA-*
that can be used in Hasura permission system, that we will discuss later on
Now after it’s deployed you can run it with npm start and sending /login
or /signup
requests and getting back the username and token
and the result will be:
Now it’s time to setup Hasura engine on the database we’ve just created
When accessing the console you will see the following:
as you can see users
table was created when we ran knex migrations when set our passport-js boilerplate, but we want to use it also from our GraphQL API, so make sure you click Track
button and now you will be able to query your users:
So how do we log in? And how do we define permissions?
The passport-js example uses LocalStrategy, so a person must authenticate with username and password, as a result, it will return
So how do we structure our client app?
and as a result, get token.
Now we need to pass that token in every request to Hasura as Authorization header like so:
"Authorization": "Bearer dd26537df94305f35dca9605b9fade7b"
Now what will happen is when you pass Authorization
header, it will be passed to custom auth webhook and processed by it.
Let's take a look at passport-js code:
As you can see we pass either anonymous
role or user.id
.
Now we can set our permissions accordingly in the Permissions tab.
Let’s take a look at auth flow for webhooks
For example this:
There are other options described in docs how to use JWT, but in a nutshell, it will look like this:
Any Auth server that returns JWT token have to pass JWT with x-hasura-*
claims under either configured or https://hasura.io/jwt/claims
namespace.
Note: x-hasura-default-role
and x-hasura-allowed-roles
are mandatory
Now let’s take a look at the case study of the simplest JWT token use case
Let’s change Payload data to be:
Now we will head to the console and pass our token as Authorization
Bearer token.
Our x-hasura-*
claims will be extracted from the token and passed to Permissions dialog where you will be able to set roles, and get really granular access even to specific columns. We will talk about Permission system in a bit
Let’s take a look at common authentication techniques we can use.
Also for Auth0 you need to configure custom claims in Rules
field under Auth0 dashboard
We also need to add custom claims to Firebase, so we will be able to include X-Hasura-*
variables in our encoded token.
With AWS Cognito there are several steps you need to do to make it work, so even though I won’t dive deeper in how to do that in this particular blog post, More detailed blog post will follow. The main idea of using Cognito is similar to Auth0 or Firebase. You need to define custom claims somewhere. For Cognito, you cannot define that in interface, but you can create custom Lambda when generating your token like so:
Our Lambda in this example will be super simple:
That’s how we add custom claims. Now you can notice that we pass our claims as stringified JSON. This is done because Cognito does not support nested custom claims. Also, you can see that I am checking for specific user if its and admin or not and if it is I return an admin role.
And that’s basically it. Your Cognito token will be decoded and passed to Hasura permission system
Hasura has a really granular method of evaluating permissions. In sections above, I laid out different methods of authenticating with Hasura and while these methods were different from the other all of them result in the same outcome. X-Hasura-*
variables are passed to Hasura permission system.
The first layer of permissions is roles. Roles are defined based on x-hasura-default-role
and x-hasura-allowed-roles
variables passed to the permission system.
Second layer is custom checks based on x-hasura-user-id
or any other custom variable passed to permission system
Alternatively, we can set something like that:
And that will mean that user will be able to see only his/her posts.
As you can see from the summary above, Hasura supports lots of different Authentication techniques and is aligned with best practices in industry. In addition to that Hasura permissions system gives you a really granular level of access control used, which is a must in production apps.
Exists Drag When Pedaling With The Electric Aid Off?Electric Motors And DrivetrainsIntroductory To Electric BikesCan Electric Bikes Be Ridden With The Electric Help Off?Electric Mountain Bikes This…
In the beginning was Truth. And with Truth was Wisdom and Love. And in Their Image the Universe came to be. And their Virtues imbued all that was. And it was Good. And through Their Processes, the…
Typically when you hear about someone or a company having offshore accounts, the first thing that comes into your mind probably is that the ill-gotten money has been stashed away from local…