Graphql-engine: Use session variables in GraphQL queries

@macalinao Hasura has buit-in ACL which serves this exact purpose. You just need to pass the JWT token containing X-Hasura-User-Id and use it to filter the data. This link may help: https://docs.hasura.io/1.0/graphql/manual/auth/authorization/basics.html

@macalinao I'm not sure how this can be done while adhering to the graphql spec. Any ideas?

@victorferreira I think what the op was suggesting is a case like this:
Suppose you have a table/view called followers where everyone can read all rows. Now suppose you want to fetch your own followers you would do something like this:

query getFollowersOf($user_id: Int!) {
  followers(where: {user_id: {_eq: $user_id}}) {
    follower_id
  }
}

with variables being {"user_id": your_user_id}. However it would be nice if you can somehow specify that $user_id should come from a session variable than having to explicitly specify it.

@0x777 one idea is to inject all hasura env vars as optional query variables. I'm not sure what the security implications are, but it could look like this:

query getFollowersOf($x_hasura_user_id: String) {
  followers(where: {user_id: {_eq: $x_hasura_user_id}}) {
    follower_id
  }
}

These could get whitelisted and configured in the Hasura console

Hey @macalinao, would love to hop on a short call to discuss possible implementations for this! If this works for you, could you please schedule a chat here?

@dsandip Did you ever look into this issue?

@macalinao This is the way I do it in my current application. As long as the injection is done after validating the token, in my opinion this raises security by not allowing the caller to specify any invalid query variables.

I'd be glad to hop on a call to discuss possible implementations for this @dsandip!

This would be extremely valuable for my project.

This would be also useful if you want to update the auth user, e.g.:
update_user_by_pk(pk_columns: {id: $userId}, _set: $changes) {...}

Any update on this? This feature is really useful.