Graphql-engine: How to use x-hasura-allowed-roles with webhooks

Hi!

Allowed Roles is used only for JWTs and not webhooks. The idea with a
webhook is that you should know exactly which role you want to run as.

So, your webhook should return only a particular x-hasura-role that you
want to use at that instant. Which means either manager or user.

On Sun, 20 Jan 2019 at 1:14 PM, Pilou notifications@github.com wrote:

Hello,
I see there is some documentation on how to use 'x-hasura-allowed-roles'
with JWT, but I can't make it work with webhooks.
My use case is that each user can have multiple roles, and that I would
like to test each of the permissions defined in the console.
Here is an example of the payload:

{
"X-Hasura-Role": "user",
"X-Hasura-User-Id": "an-user-id, "X-Hasura-Allowed-Roles": [ "manager", "user" ]

In this case, I have an error "expected Text, encountered Array". But even
if I pass a stringified value such as "[manager,user]" or
"[\"manager\",\"user\"]" the 'manager' permissions don't apply...
Can you tell me if it could work, and if it can, what would be the way to
proceed?
Thanks in advance!

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/hasura/graphql-engine/issues/1420, or mute the thread
https://github.com/notifications/unsubscribe-auth/AAIAWKb8oU6pJAKzCviYIDxR9bQK1OXsks5vFB5ZgaJpZM4aJg7v
.

Thanks for the prompt reply!
I don't get why this is not something I should not try do to with webhooks, but at least I now know I am trying to do something that is not possible!
Thanks anyway, I will look for a workaround in my application logic.
Cheers!

Hi @plmercereau !

The idea is that your webhook is called on every request. Using the data sent by the client, it can resolve the role, per request.

In the case of JWT, the token is issued once the user is authenticated, and that token is used for all subsequent requests, hence it would need to have a list of possible roles for that authenticated user.

Did it make sense?

Thanks for the clarification @ecthiender ! I think it makes sense!
I am prototyping a stack that can be embedded into a local docker swarm with no or little access to the internet. As I am not really good at configuring a JWT server (and a bit lazy to be honest), so I went to the webhook path as it was way easier for me to implement...
Still looking for a good JWT server that could generate the corresponding X-Hasura-* claims from a Postgres database with little efforts...
Will try loginsrv I think, with a HTTP basic auth upstream service. Thanks anyway!

@plmercereau Let us know if you need any help getting loginsrv to work! And if you have any notes to share, please do post them here. We'd love to put together a guide/blog/docs so that it's useful to anyone else with this stack :)

Hello guys,
I could not find a simple way to overload the JWT payload with the Hasura claims in loginsrv... The only way I think of would have been to create some kind of JWT proxy between the client and loginsrv, that would decrypt the JWT, add the claims, and generate a JWT - it wouldn't make any sense then to use loginsrv anymore...
So I created this small boilerplate inspired from your webhook passport boilerplate. I basically rewrote a basic auth server that stores user/password in a user table, roles in one another, and creates a many to many relationship through a user_role table.
It creates the JWT and maps the roles into x-hasura-allowed-roles.
There are of course a few limitations (those identified are detailed in the README), but I hope this will help.
Please let me know it there is something I can do to make it useful to someone else.