add support for jwt authorization (close #186) #255
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Only supports HMAC-SHA256 right now - Cannot be present with webhook - Needs access key to be present - Needs to have better errors
- Use type synonyms instead of Text everywhere
- JWT keys are passed as JSON string passing flag to serve command, or as env variable HASURA_GRAPHQL_JWT_SECRET - Support for RSA JWKs
…6-jwt-auth Resolve Conflicts: server/src-lib/Hasura/Server/Auth.hs
ecthiender
added
s/do-not-merge
|
Review app available at: https://hge-ci-pull-255.herokuapp.com |
1 similar comment
|
Review app available at: https://hge-ci-pull-255.herokuapp.com |
|
Review app available at: https://hge-ci-pull-255.herokuapp.com |
1 similar comment
|
Review app available at: https://hge-ci-pull-255.herokuapp.com |
|
Review app available at: https://hge-ci-pull-255.herokuapp.com |
0x777
reviewed
Aug 7, 2018
| -- try to parse JWT token from Authorization header | ||
| let mAuthzHeader = find (\h -> fst h == CI.mk "Authorization") headers | ||
| (_, authzHeader) <- maybe missingAuthzHeader return mAuthzHeader | ||
| let tokenParts = BLC.words $ BL.fromStrict authzHeader |
There was a problem hiding this comment.
pattern match to throw errors instead of checking for length and accessing an element with an index
0x777
reviewed
Aug 7, 2018
| let mRole = Map.lookup userRoleHeader metadataWithRole | ||
| role <- maybe missingRoleClaim return mRole | ||
|
|
||
| -- delete the x-hasura-role key from this map |
There was a problem hiding this comment.
why? Let x-hasura-role be also passed as params?
There was a problem hiding this comment.
The UserInfo type already has role info. So I thought we should remove it ?
…6-jwt-auth Resolve Conflicts: server/stack.yaml
- pattern match on Authorization header rather than detecting length etc.
|
Review app available at: https://hge-ci-pull-255.herokuapp.com |
…6-jwt-auth Resolve Conflicts: server/src-lib/Hasura/RQL/Types/Error.hs
not deleting user role from UserInfo metadata headers, and deleting access key
|
Review app available at: https://hge-ci-pull-255.herokuapp.com |
|
Review app available at: https://hge-ci-pull-255.herokuapp.com |
|
Review app available at: https://hge-ci-pull-255.herokuapp.com |
…6-jwt-auth Resolve Conflicts: server/src-lib/Hasura/Server/Utils.hs
|
Review app available at: https://hge-ci-pull-255.herokuapp.com |
shahidhk
changed the title
0x777
reviewed
Aug 30, 2018
server/src-lib/Hasura/Server/Auth.hs
Outdated
|
|
||
| bsToTxt :: B.ByteString -> T.Text | ||
| bsToTxt = TE.decodeUtf8With TE.lenientDecode | ||
| type AccessKey = T.Text |
There was a problem hiding this comment.
Let's wrap them in newtypes. I've noticed couple of functions which seem to take .. Maybe Text -> Maybe Text ..
|
Review app available at: https://hge-ci-pull-255.herokuapp.com |
0x777
approved these changes
Aug 30, 2018
|
Review app available at: https://hge-ci-pull-255.herokuapp.com |
|
Review app available at: https://hge-ci-pull-255.herokuapp.com |
shahidhk
approved these changes
Aug 30, 2018
shahidhk
changed the title
|
Review app https://hge-ci-pull-255.herokuapp.com is deleted |
karthikvt26
pushed a commit
to karthikvt26/graphql-engine
that referenced
this pull request
Sep 5, 2018
* add a query to reload schema cache (metadata), close hasura#292 * minor code refactor * simpler root level select fields using primary keys (fix hasura#304) (hasura#306) * select fields by primary key col values as argument values, fix hasura#304 * change field name 'table_by_pkey' to 'table_by_pk' * add links to share and help (hasura#303) * add req_user_id as alias to x-hasura-user-id (fix hasura#317) (hasura#320) * fix insert fails for non-admin roles on v1/query (fix hasura#327) (hasura#328) * fix insert fails for non-admin roles on v1/query, fix hasura#327 * add test case for user role upsert usint constraint name * mutation return type and query type are same (close hasura#315) (hasura#324) * add support for jwt authorization (close hasura#186) (hasura#255) The API: 1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON. 2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}` `type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io). `key`: i. Incase of symmetric key, the key as it is. ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate. 3. The claims in the JWT token must contain the following: i. `x-hasura-default-role` field: default role of that user ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header. 4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings. 5. The JWT tokens are sent as `Authorization: Bearer <token>` headers. --- To test: 1. Generate a shared secret (for HMAC-SHA256) or RSA key pair. 2. Goto https://jwt.io/ , add the keys 3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions. 4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}` 5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header. --- TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61 * compare only major and minor versions for cli-server (fix hasura#331) (hasura#332) * Revert "add links to share and help (hasura#303)" (hasura#334) This reverts commit 798efdd. * update tests to use access key (close hasura#113) (hasura#296) Closes hasura#113 * generate a returning field in a mutation only when the select permission is defined (fix hasura#340) (hasura#341) * allow selectively updating columns on a conflict during insert (fix hasura#342) * fix primary key changing on upsert, fix hasura#342 * add 'update_columns' in 'on_conflict' object, consider 'allowUpsert' * 'ConflictCtx' type should respect upsert cases * validation for not null fields in an object * console: fix error notification non json, auto height css (hasura#354)
shahidhk
pushed a commit
to shahidhk/graphql-engine
that referenced
this pull request
Sep 11, 2018
…vice Accessing postgres from service
hasura-bot
pushed a commit
that referenced
this pull request
Feb 23, 2024
Co-authored-by: Abhinav Gupta <127770473+abhinav-hasura@users.noreply.github.com> Co-authored-by: Brandon Martin <brandon@codedmart.com> V3_GIT_ORIGIN_REV_ID: 4f4674c5bad551afa7ed718ae78c281b6f571a62
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The API:
HGE has
--jwt-secretflag orHASURA_GRAPHQL_JWT_SECRETenv var. The value of which is a JSON.The structure of this JSON is:
{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}type: Standard JWT algos :HS256,RS256,RS512etc. (see jwt.io).key:i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
The claims in the JWT token must contain the following:
i.
x-hasura-default-rolefield: default role of that userii.
x-hasura-allowed-roles: A list of allowed roles for the user. The default role is overriden byx-hasura-roleheader.The claims in the JWT token, can have other
x-hasura-*fields where their values can only be strings.The JWT tokens are sent as
Authorization: Bearer <token>headers.To test:
x-hasura-role(mandatory) and otherx-hasura-*fields. Add permissions related to the claims to test permissions.--jwt-secretflag orHASURA_GRAPHQL_JWT_SECRETenv var, which takes a JSON string:{"type": "HS256", "key": "mylongsharedsecret"}or{"type":"RS256", "key": "<PEM-encoded-public-key>"}Authorization: Bearer <token>header.TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61