Allow unsigned (alg: none) JWT tokens

[siddhatiwari]

I'm using the firebase auth emulator for local development which produces unsigned tokens. I'm running the firebase auth emulator and hasura (v1.3.3) locally using docker. It seems that hasura views the unsigned tokens using the recommended HASURA_GRAPHQL_JWT_SECRET for firebase as invalid. When I remove the HASURA_GRAPHQL_JWT_SECRET, all requests are defaulted to the anonymous role, which doesn't represent the actual role of the user from the unsigned token.

Is there a flag to allow using unsigned JWT tokens for development purposes? Or am I missing something with my configuration?

Hasura has been a major productivity boost for me! Just having this small issue setting up my local environment

[tirumaraiselvan]

What do you mean by unsigned tokens? Do you mean the algo is none?

[marksyzm]

I have this issue also with the emulator. It keeps getting back with Could not verify JWT: JWSError JWSNoSignatures

[marksyzm]

I'm using 1.3.2. This is an issue for me as I want to test my cloud functions with actions as I'm working but I would have to make use of live authentication instead.

Edit: Thinking about it, I can make do with live auth for now.

[marksyzm]

I'm limited by live auth as it happens... in firebase I can run all via its emulator but as I have to use a key or jwk_url it just breaks. This is less than ideal as I have to extract the JWT data with 3rd party software. I would prefer to be able to use firebaseAdmin.auth().verifyIdToken(idToken) for example.

[jamesknelson]

@tirumaraiselvan Yes, it appears the algorithm is none, which doesn't appear to be specified in the JWT standard, but it'd be super handy if Hasura could support. This would allow for completely local development - without touching a remote auth server at all.

Here's a dump of one of the tokens produced by the mentioned auth emulator:

Headers:

{
  "alg": "none",
  "typ": "JWT"
}

Full payload:

{
  "aud": "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
  "iat": 1609857856,
  "exp": 1609861456,
  "iss": "firebase-auth-emulator@example.com",
  "sub": "firebase-auth-emulator@example.com",
  "uid": "yRdKtVuhWFShAUm43oT9HhpGMNid",
  "claims": {
    "https://hasura.io/jwt/claims": {
      "...": "..."
    }
  }
}

Given that the token has an issuer and audience, it may be possible to allow a "type" of "none" only when one (or both) of these are specified.

[marksyzm]

I would add an environment variable for that circumstance too so it can only be used in testing and development

[jamesknelson]

@marksyzm I think it should be enough for the existing HASURA_GRAPHQL_JWT_SECRET environment variable to support a none type

[marksyzm]

Yeah probably; save us having user error issues

[whollacsek]

Is there any solution around this?

@tirumaraiselvan the firebase doc section: https://firebase.google.com/docs/emulator-suite/connect_auth#id_tokens

[Rykuno]

I also just ran into this issue. I would agree in having the none option on Hasura's JWT secret for local testing and development. Does anyone know a work around for this in the meanwhile?

Update
Here is my current work around. I'm using Apollo with NextJS and I just added some middleware to handle the checking of environments. If the environment is local(where I'm using firebase emulator), it signs the token on request.

// Generate a signed token for the request
// since firebase auth emulator tokens are unsigned
const getLocallySignedToken = token => {
  return jwt.sign(jwt.decode(token), "secret");
};

// condition for signing the token
const isLocalEnvironment = () => {
  return location.hostname === "localhost";
};

//middleware to apply signed token on request
const authMiddleware = new ApolloLink((operation, forward) => {
  // add the authorization to the headers
  const token = getAuthToken();
  operation.setContext(() => ({
    headers: token
      ? {
          Authorization: `Bearer ${
            isLocalEnvironment() ? getLocallySignedToken(token) : token
          }`
        }
      : { "X-Hasura-Role": `anonymous` }
  }));
  return forward(operation);
});

Remember to set the secret to use a key instead of the firebase JWK

HASURA_GRAPHQL_JWT_SECRET='{"type":"HS256", "key": "secret"}'

I would still LOVE a type of none on the HASURA_GRAPHQL_JWT_SECRET though :).

[marksyzm]

That will help for now, thanks... It isn't great having such a public work around in the code of course but hey, it'll be enough for the time being