独家优惠奖金 100% 高达 1 BTC + 180 免费旋转

Hasura Authentication Explained

As you may know from various other blog posts found on blog.hasura.io, Hasura supports various types of authentication and in the following blog post I want to lay out what are your authentication options when using Hasura in production.

We will talk about the following things:

Securing GraphQL endpoint

Auth Webhooks

Auth using JWT

Hasura Permission system

When creating a new instance of Hasura engine, you’ve probably seen Secure your endpoint on top of the console:

So now if you try to access the console, you will get a simple “login” page that will ask you to specify your secret

So that is not an actual authentication. That’s just securing your endpoint. Now, what about Authentication and what is the right authentication method for you?

You may want to use Firebase, Auth0, Firebase Functions, Cognito, Your custom auth server, some unknown auth provider e.t.c

So before looking at different Auth implementations and having lots of blog posts links and sample apps down below, let’s divide our authentication type to two major types

So what is a Webhook? In a nutshell, whenever you set a specific environment variable for Hasura engine, that includes custom URL, all request headers (unless your webhook is configured to use GET) will be passed to this custom URL. In your Auth webhook, you can do whatever you want and it must return either 200 or 401 status codes. Along with 200 status code, you send a bunch of variables prefixed by X-HASURA-* that can be used in Hasura permission system, that we will discuss later on

Now after it’s deployed you can run it with npm start and sending /login or /signup requests and getting back the username and token

and the result will be:

Now it’s time to setup Hasura engine on the database we’ve just created

When accessing the console you will see the following:

as you can see users table was created when we ran knex migrations when set our passport-js boilerplate, but we want to use it also from our GraphQL API, so make sure you click Track button and now you will be able to query your users:

So how do we log in? And how do we define permissions?

The passport-js example uses LocalStrategy, so a person must authenticate with username and password, as a result, it will return

So how do we structure our client app?

and as a result, get token.
Now we need to pass that token in every request to Hasura as Authorization header like so:

"Authorization": "Bearer dd26537df94305f35dca9605b9fade7b"

Now what will happen is when you pass Authorization header, it will be passed to custom auth webhook and processed by it.
Let's take a look at passport-js code:

As you can see we pass either anonymous role or user.id.
Now we can set our permissions accordingly in the Permissions tab.

Let’s take a look at auth flow for webhooks

For example this:

There are other options described in docs how to use JWT, but in a nutshell, it will look like this:

Any Auth server that returns JWT token have to pass JWT with x-hasura-* claims under either configured or https://hasura.io/jwt/claims namespace.

Note: x-hasura-default-role and x-hasura-allowed-roles are mandatory

Now let’s take a look at the case study of the simplest JWT token use case

Let’s change Payload data to be:

Now we will head to the console and pass our token as Authorization Bearer token.
Our x-hasura-* claims will be extracted from the token and passed to Permissions dialog where you will be able to set roles, and get really granular access even to specific columns. We will talk about Permission system in a bit

Let’s take a look at common authentication techniques we can use.

Also for Auth0 you need to configure custom claims in Rules field under Auth0 dashboard

We also need to add custom claims to Firebase, so we will be able to include X-Hasura-* variables in our encoded token.

With AWS Cognito there are several steps you need to do to make it work, so even though I won’t dive deeper in how to do that in this particular blog post, More detailed blog post will follow. The main idea of using Cognito is similar to Auth0 or Firebase. You need to define custom claims somewhere. For Cognito, you cannot define that in interface, but you can create custom Lambda when generating your token like so:

Our Lambda in this example will be super simple:

That’s how we add custom claims. Now you can notice that we pass our claims as stringified JSON. This is done because Cognito does not support nested custom claims. Also, you can see that I am checking for specific user if its and admin or not and if it is I return an admin role.

And that’s basically it. Your Cognito token will be decoded and passed to Hasura permission system

Hasura has a really granular method of evaluating permissions. In sections above, I laid out different methods of authenticating with Hasura and while these methods were different from the other all of them result in the same outcome. X-Hasura-* variables are passed to Hasura permission system.

The first layer of permissions is roles. Roles are defined based on x-hasura-default-role and x-hasura-allowed-roles variables passed to the permission system.

Second layer is custom checks based on x-hasura-user-id or any other custom variable passed to permission system

Alternatively, we can set something like that:

And that will mean that user will be able to see only his/her posts.

As you can see from the summary above, Hasura supports lots of different Authentication techniques and is aligned with best practices in industry. In addition to that Hasura permissions system gives you a really granular level of access control used, which is a must in production apps.

Add a comment

What is your view?

Send

Related posts:

Bosch Ebike Systems

Exists Drag When Pedaling With The Electric Aid Off?Electric Motors And DrivetrainsIntroductory To Electric BikesCan Electric Bikes Be Ridden With The Electric Help Off?Electric Mountain Bikes This…

As It Was in the Beginning

In the beginning was Truth. And with Truth was Wisdom and Love. And in Their Image the Universe came to be. And their Virtues imbued all that was. And it was Good. And through Their Processes, the…

Is Offshore Banking Synonymous with Money Laundering?

Typically when you hear about someone or a company having offshore accounts, the first thing that comes into your mind probably is that the ill-gotten money has been stashed away from local…