Session variables set from HTTP headers

[christian-detexian]

Is it possible to set session variables from HTTP headers? I realise these are not protected by signatures but I'd like to do something similar to what the X-Hasura-Role header does. However, ideally, instead of having a whitelist in the JWT, I'd just use the uncontrolled session variables only for the permissions of certain highly privileged roles.

So, e.g. I user has an allowed role of company-admin. If they send that role in X-Hasura-Role, I'd like to filter a query based on a header X-Department-ID.

I realise that I can achieve all of this by just adding filters to query. However, I'd prefer not having to build the queries according to role, yet, allow injecting variable context via the header when a user has assumed a specific role. So, in the example above, the user would select the department once and then stay in "department X" mode until they make a new selection and start sending a different value in the header.

Can something like this be done at all?

[meetzaveri]

Hello @christian-detexian

Absolutely , you can use that type of custom headers. But for Hasura to detect, you'll need to have a prefix of x-hasura-* for your header. So for e.g., it could be like X-Hasura-Organization-Id.

An example with a scenario

Let's say I am a user in two different organizations. So in my application, at a time I can only be present in one organization. So you must have seen there's a toggle option or "switch organization" setting which is provided to user if he/she wants to switch organization.

Now upon login, they will select organization and then they will store that organization_id and pass it to hasura auth webhook. Now webhook can return the response such as

(this is example in javascript code, but you can directly pass header as "X-Hasura-Organization-Id" in your API explorer)

   return res.status(200).json({
            'X-Hasura-Role': role,
            'X-Hasura-Organization-Id': user.organizationId || null,
            'X-Hasura-User-Id': user.id || null,
            'X-Hasura-Auth0User-Id': user.auth0UserId || null
        })

In permission view for user role in hasura console

Now in Hasura console, you can use that header simply as "X-Hasura-Organization-Id" for applying checks/permissions for specific user role.

In your Hasura GraphiQL API explorer

Also you can use them in GraphiQL API explorer which is provided in hasura console, see the attached screenshot here

So in this case of example, whenever user switches their orgnanization, there will be different organization-id being passed to hasura auth webhook.

Please refer to the following docs links here

1. https://hasura.io/docs/latest/remote-schemas/auth/remote-schema-forward-auth/#passing-headers-from-hasura-to-your-remote-schema
2. https://hasura.io/docs/latest/guides/integrations/auth-guardian-jwt/#option-4-set-a-session-variable

Feel free to ask if you have any doubts here, and I hope this makes sense.

[christian-detexian]

Thanks for the prompt reply. I thought I had tried what you suggest and it hadn't worked. However, I have now confirmed it to work as you explained.

Is it possible to also have a construct like the one user roles use. What I mean is can I restrict the possible values of the custom header via a list in my JWT? To use my original example, what I can build now is a role which can access alll departments one at a time. However, if I wanted to dynamically set what departments a user can set, could I create a list like the X-Hasura-Allowed-Roles one?

[meetzaveri]

@christian-detexian yes you can use X-Hasura-Allowed-Roles as a part of custom header. So when you configure a check for that role, you can check if the particular value of column exists in that list (X-Hasura-Allowed-Roles). See the screenshot if that implies what you are trying to achieve ?.

[christian-detexian]

Thank you. I should have realised that I could just do that on the checks with an _in operator.

[meetzaveri]

No worries, happy to help here.

[christian-detexian]

I realised that I do still have a question that may or may not be answered above (if it's the former, I might just be slow). Can the header be injected without using auth webhooks? I'd like to allow people to inject in the header whatever they want because I will do the sanity checking in my permissions. So, to use the organisation example above, a user can send any organisation they want but the permissions will check the sent organisation against an allow list.

As far as I can tell, I cannot actually allow a custom header to turn into a session variable unless I use a webhook that modifies the session. Is that correct?

[christian-detexian]

I just realised that this issue probably answers my question.

[meetzaveri]

Hey @christian-detexian , you can use x-hasura-* http headers, so hasura will indentify them as session variables. For e.g., X-Hasura-Organization-Id . Glad, that you found that issue. Please feel free to ask more questions here in discussion.

[christian-detexian]

@meetzaveri According to the issue linked above and my own tests, what you are suggesting only works with either the admin secret being sent or authorisation using a webhook. In JWT mode, no custom session variables can be injected via the HTTP headers.

[meetzaveri]

You are right, it only works in webhook auth mode right now. AFAIK, it does not work outside of it. The best I can do here is, I'll transfer your feedback to my corresponding support team.