Prisma1: Require authentication on Prisma server

In the context of developing with Prisma, there are two different secrets you might encounter. You are mixing them both up 🙂

Let me elaborate. First, let's get an understanding of the components at play and related terminology:

• A Prisma server is used to manage Prisma services.
• You can deploy new services or change existing services by talking to the management API of a Prisma server. This API was formerly called cluster API). The Prisma CLI is using this API when running prisma deploy, for example.

Now we can think about different secrets:

• If you're managing a Prisma server, you want to ensure that services can only be changed by authorized users. Therefore, the Prisma management API secret exists.

  • To setup a Prisma server with the management API secret, you have to supply the managementApiSecret to the PRISMA_CONFIG environment setting in the docker-compose.yml file. Here's an example how to do so.
  • To use the CLI to deploy to a Prisma server that is protected with a management API secret, you need to supply the PRISMA_MANAGEMENT_API_SECRET environment variable. In fish shell, you can do set -x PRISMA_MANAGEMENT_API_SECRET my-secret-123; and prisma deploy to do so.

• To protect access to the Prisma API of a single Prisma service for queries/mutations/subscriptions, you can employ one or more service secrets using the secret property in prisma.yml.

  • To then access the Prisma API, you need to supply a valid authorization header. It has this form:

  {
  "Authorization": "Bearer <token>
  }
  

  where token is _a JWT signed by the service secret_.

  • When using prisma-binding, you can supply the service secret to the Prisma constructor. prisma-binding then automatically generates a valid authorization header for every request by generating a valid JWT.
  • You can also run prisma token. This command looks into the secret property in prisma.yml, and generates a valid JWT token.

With that being said, here is additional information:

This is correct:

db: new Prisma({
  typeDefs: "src/generated/prisma.graphql", // the Prisma DB schema
  endpoint: process.env.PRISMA_ENDPOINT, // the endpoint of the Prisma DB service (value is set in .env)
  secret: process.env.PRISMA_SECRET, // taken from database/prisma.yml (value is set in .env)
  debug: true // log all GraphQL queries & mutations
})

This is incorrect:

db: new Prisma({
  // ...
  secret: process.env.PRISMA_MANAGEMENT_API_SECRET,
  // ...
})

If I comment this line secret: process.env.PRISMA_MANAGEMENT_API_SECRET,, run my dev server and go to the playground, I can start querying and mutating on my app project without any secret password! I can also querying and mutating on my database project without any token and I specified the managementApiSecret property with a value on both files; docker-compose.yml and .env.

Please read the above carefully and ensure that you setting up all the secrets in the right spot 🙂If afterwards you believe things are still behaving unexpectedly, please create a new issue.

To protect access to the Prisma API of a single Prisma service for queries/mutations/subscriptions, you can employ one or more service secrets using the secret property in prisma.yml.

To then access the Prisma API, you need to supply a valid authorization header. It has this form:

{
  "Authorization": "Bearer <token>
}

I followed all your steps and I can still query/mutate/subscribe without token on my database project. How is this possible? It shouldn't be like that. Right? I cleared all the storage but still the same behaviour.

@jferrettiboke Which version of Prisma are you running? Did you boot your Prisma server with the correct secret(s) set?

@dpetrick I am using 1.7.3 currently.

Is it possible for you to dump the Prisma docker env via docker exec <ContainerID> env and check the PRISMA_CONFIG? Can you please post the content (minus sensitive data) of the env var?