Graphql-engine: anymous client access hasura graphql engine(jwt-secret)

Created on 26 Mar 2019 · 11Comments · Source: hasura/graphql-engine

Hello
I want to anymous(not Logged In) user access the graphql engine.
but hasura graphql engine set --jwt-secret. graphql engine want to private.

The logged in user have jWT token can access the graphql engine.
but not Logged In user can not access graphql server.
and i dont want set scret key in request header.
because when use browser user can confirm the header data.

how do anymous users access graphql?

question

Source

sayi65

All 11 comments

@sayi65 You can set HASURA_GRAPHQL_UNAUTHORIZED_ROLE env var, say with value anonymous and define permissions for the role.

When the JWT header is missing, server will assign this role to the request.

shahidhk on 26 Mar 2019

@shahidhk
When i set HASURA_GRAPHQL_UNAUTHORIZED_ROLE. The data change to public.
This ENV user can access data from anywhere.
I said not want to set permission to table.

sayi65 on 26 Mar 2019

@sayi65 You want all data to be public?

shahidhk on 26 Mar 2019

@shahidhk no I want all data to be private.

sayi65 on 26 Mar 2019

how do anymous users access graphql?

@sayi65 You want anonymous users to access data?

shahidhk on 26 Mar 2019

@shahidhk
That's right. I want to access the graphql server and get data when displaying webpage initially. The user is not logged in. jwt-secret is set in hasura graphql engine. How do you get the data in this way?
i dont want to use HASURA_GRAPHQL_UNAUTHORIZED_ROLE. because set this option my graphql server is full published

sayi65 on 26 Mar 2019

@sayi65 There are 2 ways to achieve what you're asking.

In both cases, you need to define a role (say anonymous) and set what the not-logged-in user is allowed to do in the permission rules for that role.

Issue a JWT for anonymous role (one which contains x-hasura-role: anonymous claim). Embed this token in to your app and use it for all not-logged-in actions.
Set HASURA_GRAPHQL_UNAUTHORIZED_ROLE as anonymous. When you make a request without any JWT, that request will get this role.

shahidhk on 27 Mar 2019

@shahidhk
Thank you for your comment.
I will choose the first one.

sayi65 on 27 Mar 2019

👍1

@shahidhk

sorry I have new question.

| id| loginId | password |
| ---- | ---- | ---- |
| 1 | test1 | pwd|
| 2 | test2 | pwd |

I set two role in user Table.

one is login role.
The login permission have custom check({ id : {_eq : [X-Hasura-User-Id]} })
and allow the columns is all

another one is anymouse role.
The login permission without any checks.
and allow the columns are id and loginId

The JWT payload is

{
   ...
    "https://hasura.io/jwt/claims": {
    "x-hasura-allowed-roles": ["login","anonymous"],
    "x-hasura-default-role": "login",
    "x-hasura-user-id": "1"
  }
}

when I query the user Table. It is response one data.
Can I get all data?

query{
  users {
    id
    userId
    password
  }
}

Like This response Data

{
  "data": {
    "users": [
      {
        "id": "1",
        "userId": "test1",
        "password": "pwd"
      }
      {
        "id": "2",
        "userId": "test1",
        "password": null
      }
    ]
  }
}

sayi65 on 29 Mar 2019

@sayi65 Each request can have only one role. x-hasura-allowed-roles: [login, anonymous] indicate that with this JWT, you can make a request with x-hasura-role: login or x-hasura-role: anonymous. If you do not send, x-hasura-role with the request x-hasura-default-role: login will be used.

We have an open issue to discuss handling multiple roles in the same graphql request: https://github.com/hasura/graphql-engine/issues/877.

shahidhk on 29 Mar 2019

👍1

@shahidhk
Thanks for your comment.
I wil check #877
I will close this issue

sayi65 on 2 Apr 2019

Was this page helpful?

0 / 5 - 0 ratings