New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optional Locked Parameter for JWT Embedding #7306

brunolopesr opened this Issue Apr 9, 2018 · 3 comments


None yet
4 participants
Copy link

brunolopesr commented Apr 9, 2018

  • Your browser and the version: Chrome 67.0.3390.0 canary
  • Your operating system: OS X 10.13.4
  • Your databases: MySQL
  • Metabase version: 0.28.5
  • Metabase hosting environment: CentOS 6.8
  • Metabase internal database: MySQL

I am using Metabase to create reports of an application, which runs a MySQL database.

So I created a question with an optional parameter in a question, so if it is not null, it will filters the MySQL query, like the example below that show all users registered:

[[AND {{ user_id }}]]
[[AND {{ user_role }}]]

Where the user_id variable is of Field Filter type, linked to field and the user_role variable if of Field Filter type, linked to users.role field.

As I want to embed the Metabase to the admin panel of the application, I set the parameters to locked, to hide them in the iframe, because I want to provide my own inputs.

But, I want it to starts empty, or a null value, as they are optional in the MySQL query and when I create the JSON Web Token, if I try passing null to the parameter in the payload, the iframe reports:

You must specify a value for :user_id in the JWT.

That's the way I am creating the token, using firebase/php-jwt:

$payload = [
	'resource' => [
		'question' => 10,
	'params' => [
		'user_id' => null,
		'user_role' => null,

$token = JWT::encode($payload, $this->metabaseSecretKey);

$iframeUrl = 'http://'. $this->metabaseSiteUrl . '/embed/question/'. $token . '#bordered=true';

Passing all users IDs and roles as default value is impossible, as it throws a 414 Request-URI Too Large.

Am I doing something wrong? Optional variables cannot or should not be locked?



This comment has been minimized.

Copy link

salsakran commented Apr 20, 2018

"locked" means you must include a parameter, allowing nulls there would allow someone to bypass this requirement.

I'd suggest creating two cards, one "global" and one "locked" to keep things sane.

@salsakran salsakran closed this Apr 20, 2018


This comment has been minimized.

Copy link

drorm commented Jul 23, 2018

We ran exactly into this problem. I don't think that allowing nulls would allow someone to bypass this since the it's part of the payload that's encrypted with the key.


This comment has been minimized.

Copy link

mausch commented Jan 31, 2019

Please reopen this. Many are having issues because of this see e.g. .
I think recommending people to duplicate cards is clear evidence that this is an issue.
Moreover the "locked" parameter setting effectively (and unexpectedly) overrides the required/non-required parameter setting, they should be independent concerns I think.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment