Skip to content

Commit

Permalink
update docs and take scheme from origin into consideration
Browse files Browse the repository at this point in the history
  • Loading branch information
@ecthiender
ecthiender committed Jan 30, 2019
1 parent 5753c7c commit 2e03c8d
Show file tree
Hide file tree
Showing 6 changed files with 204 additions and 142 deletions.
2 changes: 1 addition & 1 deletion .circleci/test-server.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ unset HASURA_GRAPHQL_JWT_SECRET
# test with CORS modes

echo -e "\n<########## TEST GRAPHQL-ENGINE WITH CORS DOMAINS ########>\n"
export HASURA_GRAPHQL_CORS_DOMAIN="*.foo.bar.com, localhost"
export HASURA_GRAPHQL_CORS_DOMAIN="*.localhost, localhost:3000, *.foo.bar.com"

"$GRAPHQL_ENGINE" serve >> "$OUTPUT_FOLDER/graphql-engine.log" 2>&1 & PID=$!

Expand Down
227 changes: 130 additions & 97 deletions docs/graphql/manual/deployment/graphql-engine-flags/reference.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,22 @@ Server flags

For ``graphql-engine`` command these are the flags available

.. code-block:: none

--database-url Postgres database URL
<postgres/postgresql>://<user>:<password>@<host>:<port>/<db-name>
Example: postgres://admin:mypass@mydomain.com:5432/mydb
.. list-table::
:header-rows: 1
:widths: 10 10 50

* - Flag
- Environment variable
- Description

Or either you can specify following options
* - ``--database-url``
- ``HASURA_GRAPHQL_DATABASE_URL``
- Postgres database URL
``postgres://<user>:<password>@<host>:<port>/<db-name>``
Example: ``postgres://admin:mypass@mydomain.com:5432/mydb``

Or either you can specify following options (only via flags)

.. code-block:: none
Expand All @@ -33,123 +42,147 @@ Or either you can specify following options
-p, --password Password of the user
-d, --dbname Database name to connect to
Command flags
^^^^^^^^^^^^^

For ``serve`` subcommand these are the flags available

.. code-block:: none
--server-host IP address of network interface that graphql-engine will listen on (default: '*', all interfaces)
For ``serve`` subcommand these are the flags and environment variables available

--server-port Port on which graphql-engine should be served (default: 8080)
.. list-table::
:header-rows: 1
:widths: 10 20 40

--access-key Secret access key, required to access this instance.
If specified client needs to send 'X-Hasura-Access-Key'
header
* - Flag
- Environment variable
- Description

--cors-domain The domain, including sheme and port, to allow CORS for
* - ``--server-port <PORT>``
- ``HASURA_GRAPHQL_SERVER_PORT``
- Port on which graphql-engine should be served (default: 8080)

--disable-cors Disable CORS handling
* - ``--server-host <HOST>``
- ``HASURA_GRAPHQL_SERVER_HOST``
- Host on which graphql-engine will listen (default: ``*``)

--auth-hook The authentication webhook, required to authenticate
incoming request
* - ``--enable-console``
- ``HASURA_GRAPHQL_ENABLE_CONSOLE``
- Enable the Hasura Console (served by the server on ``/`` and ``/console``)

--auth-hook-mode The authentication webhook mode. GET|POST (default: GET)
* - ``--access-key <SECRET ACCESS KEY>``
- ``HASURA_GRAPHQL_ACCESS_KEY``
- Secret access key, for admin access to this instance. This is mandatory
when you use webhook or JWT.

--jwt-secret The JSON containing type and the JWK used for
verifying. e.g: `{"type": "HS256", "key":
"<your-hmac-shared-secret>"}`,`{"type": "RS256",
"key": "<your-PEM-RSA-public-key>"}
* - ``--auth-hook <WEB HOOK URL>``
- ``HASURA_GRAPHQL_AUTH_HOOK``
- URL of the authorization webhook required to authorize requests. See auth
webhooks in docs.

--unauthorized-role Unauthorized role, used when access-key is not sent in
access-key only mode or "Authorization" header is absent
in JWT mode
* - ``--auth-hook-mode <GET|POST>``
- ``HASURA_GRAPHQL_AUTH_HOOK_MODE``
- HTTP method to use for the authorization webhook (default: GET)

-s, --stripes Number of stripes (default: 1)
* - ``--jwt-secret <JSON CONFIG>``
- ``HASURA_GRAPHQL_JWT_SECRET``
- A JSON string containing type and the JWK used for verifying (and other
optional details). E.g - ``{"type": "HS256", "key":
"3bd561c37d214b4496d09049fadc542c"}``. See the JWT docs for more details.

-c, --connections Number of connections that need to be opened to Postgres
(default: 50)
* - ``--unauthorized-role <ROLE>``
- ``HASURA_GRAPHQL_UNAUTHORIZED_ROLE``
- Unauthorized role, used when access-key is not sent in access-key only
mode or "Authorization" header is absent in JWT mode. Example:
``--unauthorized-role anonymous``. Now whenever "Authorization" header is
absent, request's role will default to "anonymous".

--timeout Each connection's idle time before it is closed
(default: 180 sec)
* - ``--cors-domain <DOMAINS>``
- ``HASURA_GRAPHQL_CORS_DOMAIN``
- CSV of list of domains, excluding scheme (http/https) and including port,
to allow CORS for. Wildcard domains are allowed. See examples below for
valid configurations.

-i, --tx-iso Transaction isolation. read-commited / repeatable-read /
serializable
* - ``--disable-cors``
- N/A
- Disable CORS. Do not send any CORS headers on any request.

--enable-console Enable API console. It is served at '/' and '/console'
* - ``--enable-telemetry <true|false>``
- ``HASURA_GRAPHQL_ENABLE_TELEMETRY``
- Enable anonymous telemetry (default: true)

--use-prepared-statements Use prepared statements for SQL queries (default: true)
* - N/A
- ``HASURA_GRAPHQL_EVENTS_HTTP_POOL_SIZE``
- Max event threads

--enable-telemetry Enable anonymous telemetry (default: true)
* - N/A
- ``HASURA_GRAPHQL_EVENTS_FETCH_INTERVAL``
- Postgres events polling interval

* - ``-s,--stripes <NO OF STRIPES>``
- ``HASURA_GRAPHQL_PG_STRIPES``
- Number of conns that need to be opened to Postgres (default: 1)

Default environment variables
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* - ``-c,--connections <NO OF CONNS>``
- ``HASURA_GRAPHQL_PG_CONNECTIONS``
- Number of conns that need to be opened to Postgres (default: 50)

You can use environment variables to configure defaults instead of using flags:
* - ``--timeout <SECONDS>``
- ``HASURA_GRAPHQL_PG_TIMEOUT``
- Each connection's idle time before it is closed (default: 180 sec)

.. note::
When the equivalent flags for environment variables are used, the flags will take precedence.
* - ``--use-prepared-statements <true|false>``
- ``HASURA_GRAPHQL_USE_PREPARED_STATEMENTS``
- Use prepared statements for queries (default: true)

For example:
* - ``-i,--tx-iso <TXISO>``
- ``HASURA_GRAPHQL_TX_ISOLATION``
- transaction isolation. read-committed / repeatable-read / serializable (default: read-commited)

.. code-block:: bash
$ HASURA_GRAPHQL_DATABASE_URL=postgres://user:pass@host:5432/dbname graphql-engine serve
These are the environment variables which are available:

.. code-block:: none

HASURA_GRAPHQL_DATABASE_URL Postgres database URL
<postgres/postgresql>://<user>:<password>@<host>:
<port>/<db-name> Example:
postgres://admin:mypass@mydomain.com:5432/mydb
CORS configuration examples
^^^^^^^^^^^^^^^^^^^^^^^^^^^

HASURA_GRAPHQL_PG_STRIPES Number of stripes (default: 1)
No scheme (i.e., http/https) is required. Port has to be mentioned. Hasura will
match both http/https schemes.

HASURA_GRAPHQL_PG_CONNECTIONS Number of connections that need to be opened to
Postgres (default: 50)
HASURA_GRAPHQL_PG_TIMEOUT Each connection's idle time before it is closed
(default: 180 sec)
HASURA_GRAPHQL_TX_ISOLATION transaction isolation. read-committed /
repeatable-read / serializable
(default: read-commited)
HASURA_GRAPHQL_SERVER_HOST IP address of network interface that graphql-engine will listen on
HASURA_GRAPHQL_SERVER_PORT Port on which graphql-engine should be served
HASURA_GRAPHQL_ACCESS_KEY Secret access key, required to access this
instance. If specified client needs to send
'X-Hasura-Access-Key' header
HASURA_GRAPHQL_AUTH_HOOK The authentication webhook, required to
authenticate incoming request
HASURA_GRAPHQL_AUTH_HOOK_MODE The authentication webhook mode, GET|POST
(default: GET)
HASURA_GRAPHQL_CORS_DOMAIN The domain, including sheme and port,
to allow CORS for
HASURA_GRAPHQL_JWT_SECRET The JSON containing type and the JWK used for
verifying. e.g: `{"type": "HS256", "key":
"<your-hmac-shared-secret>"}`,`{"type": "RS256",
"key": "<your-PEM-RSA-public-key>"}
Enable JWT mode, the value of which is a JSON
HASURA_GRAPHQL_UNAUTHORIZED_ROLE Unauthorized role, used when access-key is not sent
in access-key only mode or "Authorization" header
is absent in JWT mode
HASURA_GRAPHQL_ENABLE_CONSOLE Enable API console. It is served at
'/' and '/console'
HASURA_GRAPHQL_ENABLE_TELEMETRY Enable anonymous telemetry (default: true)
.. code-block:: bash
HASURA_GRAPHQL_USE_PREPARED_STATEMENTS Use prepared statements for SQL queries
(default: true)
# Accepts from https://app.foo.bar.com , http://api.foo.bar.com etc.
HASURA_GRAPHQL_CORS_DOMAIN="*.foo.bar.com"
# Accepts from https://app.foo.bar.com:8080 , http://api.foo.bar.com:8080,
# http://app.localhost, http://api.localhost, http://localhost:3000,
# http://example.com etc.
HASURA_GRAPHQL_CORS_DOMAIN="*.foo.bar.com:8080, *.localhost, localhost:3000, example.com"
# Accepts from all domain
HASURA_GRAPHQL_CORS_DOMAIN="*"
# Accepts only from example.com
HASURA_GRAPHQL_CORS_DOMAIN="example.com"
..
For ``serve`` subcommand these are the flags available
.. code-block:: none
--server-port Port on which graphql-engine should be served (default: 8080)
--access-key Secret access key, required to access this instance.
If specified client needs to send 'X-Hasura-Access-Key'
header
--cors-domain The domain, including sheme and port, to allow CORS for
--disable-cors Disable CORS handling
--auth-hook The authentication webhook, required to authenticate
incoming request
--jwt-secret The JSON containing type and the JWK used for
verifying. e.g: `{"type": "HS256", "key":
"<your-hmac-shared-secret>"}`,`{"type": "RS256",
"key": "<your-PEM-RSA-public-key>"}
-s, --stripes Number of stripes
-c, --connections Number of connections that need to be opened to Postgres
--timeout Each connection's idle time before it is closed
-i, --tx-iso Transaction isolation. read-commited / repeatable-read /
serializable
--root-dir This static dir is served at / and takes precedence over
all routes
--enable-console Enable API console. It is served at '/' and '/console'
2 changes: 1 addition & 1 deletion server/src-lib/Hasura/Server/Cors.hs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ type CorsConfig = CorsConfigG CorsDomain


wildcardDomainRegex :: B.ByteString
wildcardDomainRegex = "^(\\*\\.)?([a-zA-Z0-9]+\\.)*[a-zA-Z0-9]+$"
wildcardDomainRegex = "^(\\*\\.)?([a-zA-Z0-9]+\\.)*[a-zA-Z0-9]+(:[0-9]+)*$"

validateDomain :: Text -> Either String Bool
validateDomain = matchRegex wildcardDomainRegex False
Expand Down
Loading

0 comments on commit 2e03c8d

Please sign in to comment.