Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: added x-hasura-role to allowed headers in CORS #120

Merged
merged 1 commit into from
Oct 25, 2022
Merged

feat: added x-hasura-role to allowed headers in CORS #120

merged 1 commit into from
Oct 25, 2022

Conversation

sradigan
Copy link
Contributor

@sradigan sradigan commented Oct 24, 2022
edited
Loading

Description

Adds x-hasura-role to the list of allowed headers for CORS.

Problem

For web requests made in single-page applications using a JWT with a desired role other than that specified in x-hasura-default-role: specifying the header with value 'X-Hasura-Role': 'desired-role' is required to transact. Without this header in the allowed list for CORS, the preflight check made in the browser will fail the transaction.

Solution

Added "x-hasura-role" to the list of allowed headers.

Notes

To test this:

  • Generate a jwt with a default permission other than admin as the default

    • diff --git a/build/dev/jwt-gen/main.go b/build/dev/jwt-gen/main.go
index d02a9fc..659369c 100644
--- a/build/dev/jwt-gen/main.go
+++ b/build/dev/jwt-gen/main.go
@@ -40,8 +40,10 @@ func main() {
                "https://hasura.io/jwt/claims": map[string]interface{}{
                        "x-hasura-allowed-roles": []string{
                                "admin",
+                               "staff",
+                               "public",
                        },
-                       "x-hasura-default-role":     "admin",
+                       "x-hasura-default-role":     "public",
                        "x-hasura-user-id":          "ab5ba58e-932a-40dc-87e8-733998794ec2",
                        "x-hasura-user-isAnonymous": "false",

  • Then allow permissions for the role being tested in the hasura storage_files table using the web console

  • Then make a single page web app using the development stack

    • Simple app I made to test with: myapp.zip
    • Run npm install then npm run dev to run the app
    • Navigate to the app at the URL listed and open the console for debugging
    • Attempt to upload a file with the JWT using a role without insert permissions.
    • Change the role used in myapp/src/lib/Counter.svelte to use a role with insert permissions
    • At no point should you get CORS errors in the console and files should upload when insert permissions are allocated for the selected role.
    • Revert to main and test the file upload again to see the CORS errors.

Closes #119

@dbarrosop
Copy link
Member

Thanks a lot for the PR.

@dbarrosop dbarrosop merged commit 9da2e8c into nhost:main Oct 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dbarrosop dbarrosop dbarrosop approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add X-Hasura-Role in CORS headers
2 participants
@sradigan @dbarrosop