Graphql-engine: How authorisation works with x-hasura-allowed-roles
Hello guys,
Digging a bit deeper in the authorisation mechanisms...
When sending x-hasura-allowed-roles as part of the JWT claims, it seems HGE only validates the permissions for x-hasura-default-role defined in the same token.
I suggest the permission is defined by the union of each allowed role. Without this I still don't get the utility of this claim, and will be pleased to hear some explanation on how it works under the hood.
Many thanks in advance!
plmercereau
All 5 comments
Hi @plmercereau
If you change the x-hasura-default-role header, in the client request, it will make the request with that role, overwriting whatever was set in the token, as long as the role is in x-hasura-allowed-roles array.
leoalves
on 21 Feb 2019
Thanks @leoalves
That's very good to know, I didn't get that we could then re-define the default role header.
But basically you then still need to let the client decide 'what role should I use for this query?' instead of letting it send the query and then the server decides to process it according to the sum of the roles of the user.
My point is that it can have major repercussions in the way you design your client, and you may end up in having an unnecessary layer of complexity, whereas we could have benefited from the hasura permission system which I find pretty elegant.
I would love to see Hasura aggregating all the permissions from a set of user roles for each request!
plmercereau
on 24 Feb 2019
@plmercereau there has been lot of discussion on this topic on #877
ecthiender
on 13 Mar 2019
Oh! Thanks @ecthiender I don't know how I could have missed this one!
This is exactly the topic that I have in mind.
I am closing this issue and will monitor / participate in the other one.
Thanks again
plmercereau
on 13 Mar 2019
For those who stumble on this, the header used to override the default role is x-hasura-role
Example using Apollo:
const { loading, error, data } = useQuery(MY_QUERY, {
context: {
headers: {
"x-hasura-role": "owner"
}
}
})
just-mitch
on 5 Aug 2020
Related issues
rikinsk-zz
路
3Comments
anisjonischkeit
路
3Comments
codepunkt
路
3Comments
egislook
路
3Comments
cpursley
路
3Comments
Most helpful comment
Thanks @leoalves
That's very good to know, I didn't get that we could then re-define the default role header.
But basically you then still need to let the client decide 'what role should I use for this query?' instead of letting it send the query and then the server decides to process it according to the sum of the roles of the user.
My point is that it can have major repercussions in the way you design your client, and you may end up in having an unnecessary layer of complexity, whereas we could have benefited from the hasura permission system which I find pretty elegant.
I would love to see Hasura aggregating all the permissions from a set of user roles for each request!