You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We're currently unable to set the x-hasura-default-role dynamically (and unable to send a x-hasura-role from the client)
jwt claims path parsing is currently limited to a simplified subset of JSONPath instead of full fledged support (mainly limited through hasura not the underlying library iiuc). Is there a good reason for this?
$.groups[?(@.length-1)]. Accept letters, digits, underscore (_) or hyphen (-) only. Use single quotes enclosed in bracket (['...']) if there is any special character
For context, in our usecase we're setting the. x-hasura-allowed-roles to "path": "$.groups" and would like to set the default role based on a specific (mutually exclusive) prefix/string match.
Describe the solution you'd like
Ideally we want something like $.groups[?(@.types.indexOf('prefix-') != -1)]
Note: this might be hard as there is currently no haskell library that supports these features afaik..
Describe alternatives you've considered
Other options are to allow multiple default roles ["group-prefix-1", "group-prefix-2"] and return the first match
If the feature is approved, would you be willing to submit a PR?
Happy to attempt, interested to hear your thoughts.
The text was updated successfully, but these errors were encountered:
You are correct in stating that Hasura's support for JSONPath is limited. It currently supports only index access and field access, similar to traversing an object in JavaScript. This is a simple implementation of JSONPath in which we don't have to worry about security vulnerabilities; parsing arbitrary expressions becomes a little more dangerous.
In the JSONPath specification linked above, the expression syntax is defined as "Expressions of the underlying scripting language". There is no underlying scripting language in our case; we don't have the capability to execute arbitrary code in Hasura in any language (securely or not).
One workaround might be to ensure that the roles in $.groups are ordered with the default role first, and then use index access to read it: $.groups[0]. However, it's plausible that you aren't able to change the generated JWT, so I can understand why you might need more support.
Are you able to change the contents of the JWT, or is this something that's fixed for your use case?
Is your proposal related to a problem?
We're currently unable to set the
x-hasura-default-role
dynamically (and unable to send ax-hasura-role
from the client)jwt claims path parsing is currently limited to a simplified subset of JSONPath instead of full fledged support (mainly limited through hasura not the underlying library iiuc). Is there a good reason for this?
For context, in our usecase we're setting the.
x-hasura-allowed-roles
to"path": "$.groups"
and would like to set the default role based on a specific (mutually exclusive) prefix/string match.Describe the solution you'd like
Ideally we want something like
$.groups[?(@.types.indexOf('prefix-') != -1)]
Note: this might be hard as there is currently no haskell library that supports these features afaik..
Describe alternatives you've considered
Other options are to allow multiple default roles
["group-prefix-1", "group-prefix-2"]
and return the first matchIf the feature is approved, would you be willing to submit a PR?
Happy to attempt, interested to hear your thoughts.
The text was updated successfully, but these errors were encountered: