Cookies, custom function, session authenication, relation bugfix#664
Cookies, custom function, session authenication, relation bugfix#664ruslantalpa wants to merge 1 commit into
Conversation
* Request cookies available as claims under postgrest.claims.cookie.cookie_name - @ruslantalpa * RPC functions that return session_claims type can send 'Set-Cookie' header - @ruslantalpa * new --function command line parameter, the name of the function to run after all the claims are set and before the main query - @ruslantalpa * Fix bug in relation detection when selecting parents two levels up by using the name of the FK - @ruslantalpa
|
Very nice, makes functions a lot more powerful. I had some ideas about the high level design:
We could have these OUT names actually
This would make postgres functions pretty much general purpose http handlers. |
| -- | JSON Web Token | ||
| , iJWT :: T.Text | ||
| -- | Request Cookies | ||
| , iCookies :: Maybe [(T.Text, T.Text)] |
There was a problem hiding this comment.
Is there any difference between Just [] and Nothing ?
It might be easier to do something like:
iCookies =
case lookupHeader "Cookie" of
Just hdr -> parseCookiesText hdr
Nothing -> []In this case we could drop the fromMaybe in the cookieClaims definition inside the middleware.
There was a problem hiding this comment.
yes, this would work
|
@begriffs |
|
I hesitate to merge as-is because this is a partial solution to a more important problem: accessing request headers and setting response headers. Cookies are just one of many headers and I'd rather not build in a special case for cookies. Ultimately we can give stored procedures access to the full http request context and the ability to shape the response beyond just the body. With that in mind I modify my proposal: Requests would set the variable POST /rpc/foo HTTP/1.1
Host: www.example.org
Cookie: theme=light; sessionToken=abc123This would set set postgrest.headers.host = 'www.example.org';
set postgrest.headers.cookie.theme = 'light';
set postgrest.headers.cookie.sessionToken='abc123';Postgrest would inspect the function output and do the following
In order to extend stored procs to deal with cookies and other http things I think we ought to get it right. Merging a special case solution would actually be a step backward. |
|
Can you try and write a few RPC and then use the current sql we run to execute them and provide here the function and the result of the call to explain how we differentiate between them?
I think you have not considered all the implications, to inspect the response body (to look for special case columns headers/body) it means we have to parse the json which means to support this functionality for a handful of functions in a system (login/logout), you would kill performance for 95% of the system (i am exaggerating with kill but it will certainly be an order of magnitude slower for responses above 1M and they are not uncommon). |
|
Good idea, let me try those examples and mess with the calling code to see how well my speculation actually holds up. |
|
i agree with the general idea of having the ability from sql to return headers/body but i don't like at all having to parse the response in haskell to inspect the keys of the json |
|
@begriffs what I don't like about adding more custom variables is that it becomes a bit harder to debug and we trust a state that could change after the function call. We could change our magic type
The above solution im my POV is a generalization of the current |
|
@nikita-volkov when we run a bunch of queries (for which we don't need the result) like query1;query2;query3is it the case that hasql splits them and executes them one after another or is it sent somehow as a single query/string to postgresql? set postgrest.headers.host = 'www.example.org';set postgrest.headers.cookie.theme = 'light';set postgrest.headers.cookie.sessionToken='abc123'; |
It's executed in a single interaction with the server. IOW, it's more efficient than executing each statement in isolation. |
|
@diogob a magic Also I agree with you that the |
|
@begriffs but if the function returns |
|
Assuming the type already exists in the db and has the right definition. Do we have postgrest look for it on startup in a special schema and create it if it does not exist? |
|
I see your point now, jwt_claims was not tied to any specific implementation. |
|
right now you can use &select and filters on the results returned by a particular function. Just to state the goal again, we want want RPC functions to work just like now (&select and filters) but in addition to that, be able to set headers and maybe response code |
|
True, the |
|
it's not about the data going in (set local cookies ...), it's about data coming out and being transformed into a header (Set-Cookie). It's a special case, just like jwt, although it's a speciall case enabling an important feature. |
|
@ruslantalpa have you given this any more thought? |
|
@begriffs haven't had time to think about this, a bit busy looking into Relay, i'll get back to this and give it a day or two when i'm done with my other tasks. |
|
I'm closing this PR because some of its functionality is now merged in a different way. Thanks for blazing the trail for that functionality! Could you open a PR for the relation detection bug fix? We can add the http status and header functionality after the 0.4 release because it doesn't introduce any breaking change. That'll give us time to get it just right. |
All things above allow common session authentication method
and a gift (which is not 100% complete/correct, figure it out) :)