Graphql-engine: Allow anonymous use without webhook

Created on 1 Oct 2018  路  9Comments  路  Source: hasura/graphql-engine

Many open APIs allow unauthenticated use, for example the Digitransit Routing API for public transport. Currently Hasura seems to require a dummy authorization server such as this one to enable that use case.

Would you consider creating a special case for unauthenticated use, please? Perhaps a special role in the console.

server quickfix enhancement high
Source
picture haphut
👍2

Most helpful comment

@haphut There is a flag --unauthorized-role and an env var HASURA_GRAPHQL_UNAUTHORIZED_ROLE available for server to set a role which can be used when the request is not authenticated. Hope this covers your use-case. :smile:

picture shahidhk on 29 Oct 2018
👍11 🎉7 😄1

All 9 comments

@haphut What you're asking is to have an access key set, but also have a role, say anonymous, for which permissions can be set and those can be queried without an access key, all without configuring a webhook, right?

I think this is a good idea and opens up lots of possibilities like giving public read access but admin-only write access.

@0x777 @coco98 What do you think?

shahidhk picture shahidhk on 1 Oct 2018

@shahidhk Exactly so. :)

In our current project we're going to allow only SELECT queries for the role anonymous as our data is open but we'd rather not allow everyone to write into our DB. We'd be glad to see others develop ingenious peeks into our data once the API matures a bit. I figure other public dashboard back ends could use the same pattern.

haphut picture haphut on 1 Oct 2018

It'll be nice to have this when there are only two roles in the system, admin and anonymous. Maybe a flag (--role-when-no-access-key) which specifies a role to assume when the access key is not sent?

0x777 picture 0x777 on 5 Oct 2018
👍4

We'll be adding an option called unauthorized-role for both access-key only mode and JWT mode. This option will not be present in the webhook mode. In access-key only mode, when the x-hasura-access-key is absent, the query will be executed using the role specified with unauthorized-role. JWT mode will have the same behavior when the Authorization header is absent in the request.

Will this work for your use cases? @haphut @pradel @jakelowen

0x777 picture 0x777 on 23 Oct 2018
👍4

@0x777 @rakeshkky This issue is fairly critical. It is not possible to use anonymous roles with JWT mode at all right?

coco98 picture coco98 on 25 Oct 2018

@coco98 It is possible, the client needs to send the Authorization header which will resolve to anonymous role. This header will be a constant.

This will be out in the next release.

0x777 picture 0x777 on 25 Oct 2018

@coco98 - I have an example repo where I issue a JWT that resolve to an anonymous role if that helps to tide you over until the next version ships.

jakelowen picture jakelowen on 25 Oct 2018
👍1

@haphut There is a flag --unauthorized-role and an env var HASURA_GRAPHQL_UNAUTHORIZED_ROLE available for server to set a role which can be used when the request is not authenticated. Hope this covers your use-case. :smile:

shahidhk picture shahidhk on 29 Oct 2018
👍11 🎉7 😄1

Thanks a lot! Great work.

haphut picture haphut on 29 Oct 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bogdansoare picture bogdansoare  路  3Comments
Fortidude picture Fortidude  路  3Comments
tirumaraiselvan picture tirumaraiselvan  路  3Comments
stereobooster picture stereobooster  路  3Comments
lishine picture lishine  路  3Comments