support more dynamic default role #8667
Comments
RamyElkest
changed the title
|
You are correct in stating that Hasura's support for JSONPath is limited. It currently supports only index access and field access, similar to traversing an object in JavaScript. This is a simple implementation of JSONPath in which we don't have to worry about security vulnerabilities; parsing arbitrary expressions becomes a little more dangerous. In the JSONPath specification linked above, the expression syntax is defined as "Expressions of the underlying scripting language". There is no underlying scripting language in our case; we don't have the capability to execute arbitrary code in Hasura in any language (securely or not). One workaround might be to ensure that the roles in Are you able to change the contents of the JWT, or is this something that's fixed for your use case? |
Is your proposal related to a problem?
We're currently unable to set the
x-hasura-default-roledynamically (and unable to send ax-hasura-rolefrom the client)jwt claims path parsing is currently limited to a simplified subset of JSONPath instead of full fledged support (mainly limited through hasura not the underlying library iiuc). Is there a good reason for this?
For context, in our usecase we're setting the.
x-hasura-allowed-rolesto"path": "$.groups"and would like to set the default role based on a specific (mutually exclusive) prefix/string match.Describe the solution you'd like
Ideally we want something like
$.groups[?(@.types.indexOf('prefix-') != -1)]Note: this might be hard as there is currently no haskell library that supports these features afaik..
Describe alternatives you've considered
Other options are to allow multiple default roles
["group-prefix-1", "group-prefix-2"]and return the first matchIf the feature is approved, would you be willing to submit a PR?
Happy to attempt, interested to hear your thoughts.
The text was updated successfully, but these errors were encountered: