build: docker images updated, auto create s3 bucket

.secrets.example

@@ -25,6 +25,7 @@ AUTH_SMTP_SENDER = 'hasura-auth@example.com'
 ## STORAGE
 STORAGE_ACCESS_KEY = 'storage-access-key-never-use-this-value'
 STORAGE_SECRET_KEY = 'storage-secret-key-never-use-this-value'
+STORAGE_DEFAULT_BUCKETS = 'apps:download,public:public'
 
 ## AI
 OPENAI_API_KEY = 'FIXME'

compose.override.yml

@@ -1,4 +1,3 @@
-version: '3.9'
 services:
   ###########################################################################
   # hasura console and migrates - dev mode

compose.yml

@@ -1,5 +1,3 @@
-version: '3.9'
-
 ###########################################################################
 # top-level Extensions
 ###########################################################################
@@ -100,7 +98,7 @@ services:
       HASURA_GRAPHQL_ENABLE_CONSOLE: 'true'
       HASURA_GRAPHQL_LOG_LEVEL: warn
       HASURA_GRAPHQL_ENABLED_LOG_TYPES: startup
-      HASURA_GRAPHQL_UNAUTHORIZED_ROLE: public
+      HASURA_GRAPHQL_UNAUTHORIZED_ROLE: anonymous
       HASURA_GRAPHQL_ENABLE_TELEMETRY: 'false'
       HASURA_GRAPHQL_CORS_DOMAIN: '*'
     healthcheck:
@@ -134,7 +132,7 @@ services:
   # mailpit
   ###########################################################################
   mailpit:
-    image: axllent/mailpit:v1.14.4
+    image: axllent/mailpit:v1.16.0
     hostname: mailpit
     container_name: mailpit
     restart: unless-stopped
@@ -172,7 +170,7 @@ services:
   # https://github.com/nhost/hasura-auth/blob/main/docs/environment-variables.md
   ###########################################################################
   auth:
-    image: nhost/hasura-auth:0.28.1
+    image: nhost/hasura-auth:0.29.1
     hostname: auth
     container_name: auth
     restart: unless-stopped
@@ -227,7 +225,7 @@ services:
       AUTH_SMTP_PASS: ${AUTH_SMTP_PASS:-password}
       AUTH_SMTP_SECURE: ${AUTH_SMTP_SECURE:-false}
       AUTH_SMTP_SENDER: ${AUTH_SMTP_SENDER:-hasura-auth@example.com}
-      # AUTH_USER_DEFAULT_ALLOWED_ROLES: me,user,manager,supervisor,engine
+      # AUTH_USER_DEFAULT_ALLOWED_ROLES: me,user,supervisor,manager,engine
       AUTH_USER_DEFAULT_ROLE: manager
       AUTH_WEBAUTHN_ATTESTATION_TIMEOUT: "60000"
       AUTH_WEBAUTHN_ENABLED: "true"
@@ -273,17 +271,17 @@ services:
   # minio
   ###########################################################################
   minio:
-    image: minio/minio:RELEASE.2024-03-10T02-53-48Z
+    image: bitnami/minio:2024.4.6
     hostname: minio
     container_name: minio
     restart: unless-stopped
     profiles: [all]
     volumes:
-     - minio:/data
-    command: server /data --console-address ":9001"
+     - minio:/bitnami/minio/data
     environment:
       MINIO_ROOT_USER: ${STORAGE_ACCESS_KEY}
       MINIO_ROOT_PASSWORD: ${STORAGE_SECRET_KEY}
+      MINIO_DEFAULT_BUCKETS: ${STORAGE_DEFAULT_BUCKETS:-apps:download,public:public}
     expose:
       - 9000
       - 9001
@@ -320,14 +318,15 @@ services:
     environment:
       BIND: :5000
       DEBUG: "true"
+      # CLAMAV_SERVER: tcp://run-clamav:3310
       HASURA_ENDPOINT: http://graphql:8080/v1
       HASURA_GRAPHQL_ADMIN_SECRET: ${HASURA_GRAPHQL_ADMIN_SECRET:-nhost-admin-secret}
       HASURA_METADATA: "1"
       POSTGRES_MIGRATIONS: "1"
       POSTGRES_MIGRATIONS_SOURCE: postgres://postgres:${POSTGRES_PASSWORD:-postgres}@postgres:5432/postgres?sslmode=disable
       PUBLIC_URL: https://storage${BASE_HOSTNAME}
       S3_ACCESS_KEY: ${STORAGE_ACCESS_KEY}
-      S3_BUCKET: nhost
+      S3_BUCKET: public
       S3_ENDPOINT: http://minio:9000
       S3_REGION: ""
       S3_ROOT_FOLDER: ""
@@ -348,6 +347,7 @@ services:
     #   start_interval: 10s
     #   timeout: 15s
     #   retries: 5
+    <<: *extra_hosts
     labels:
       traefik.enable: "true"
       traefik.http.routers.storage.entrypoints: websecure
@@ -359,7 +359,7 @@ services:
   # dashboard
   ###########################################################################
   dashboard:
-    image: nhost/dashboard:1.12.0
+    image: nhost/dashboard:1.12.2
     hostname: dashboard
     container_name: dashboard
     restart: unless-stopped
@@ -393,7 +393,7 @@ services:
   # configserver
   ###########################################################################
   configserver:
-    image: nhost/cli:1.15.3
+    image: nhost/cli:1.16.0
     hostname: configserver
     container_name: configserver
     restart: unless-stopped
@@ -403,8 +403,8 @@ services:
       - --enable-playground
       - --debug
     volumes:
-      - ./nhost/nhost.toml:/tmp/config.toml
-      - ./.secrets:/tmp/secrets.toml
+      - ./nhost:/tmp/root/nhost
+      - .:/tmp/root
     expose:
       - 8088
     # environment:
@@ -432,7 +432,7 @@ services:
   # Ref: https://github.com/pramsey/pgsql-http
   ###########################################################################
   ai:
-    image: nhost/graphite:0.4.0
+    image: nhost/graphite:0.5.0
     hostname: ai
     container_name: ai
     restart: unless-stopped

docs/hasura-roles.md

@@ -5,19 +5,70 @@
 Every table or view can have permission rules defined for users based on user **role**. You define your own
 roles in the Hasura GraphQL Engine and then create permissions for each of them.
 
-For example:
+Recommended roles:
 
-| Role       | Description                                                        | Allowed Activity                            |
-| ---------- | ------------------------------------------------------------------ | ------------------------------------------- |
-| public     | user who is not logged-in                                          | Only read from some restricted tables/views |
-| user       | user who is logged in                                              | CRUD on data that belongs to self           |
-| supervisor | user that has access to all users' data with in their organization | CRUD on all users' data in organization     |
-| manager    | user that has access to all users' data                            | CRUD on all users' data                     |
+- **Users**: users who are using the application as a starting point for their work.
+- **Supervisors**: users who are mainly using the application to manage users and their access of their _organization_.
+- **Administrators**: this users are able to grant additional organizations or departments and elect supervisors.
+
+| Role       | Description                                                            | Allowed Activity                                                     |
+| ---------- | ---------------------------------------------------------------------- | -------------------------------------------------------------------- |
+| anonymous  | A user who is not logged-in                                            | Only read from some restricted tables/views                          |
+| user       | A user who is logged in                                                | Allow access to personally created data                              |
+| supervisor | A user that has access to other users' data with in their organization | Allow access to personally created data or their organization's data |
+| manager    | A user that has access to any users' data across all organizations     | Allow access to all users' data                                      |
 
 See [this section](https://hasura.io/docs/latest/auth/authorization/permissions/) on how to configure permissions.
 
+By default, users have two allowed roles:
+
+- user (default)
+- me
+
 ### The admin role
 
 By default, there is an `admin` role that can perform any operation on any table.
 For our case `admin` is only used for back channel management app.
 For customer facing apps we use `public`, `user`, `supervisor`, `manager` roles.
+
+### Assign Allowed Roles
+
+It’s possible to give users a subset of allowed roles during signup.
+
+**Example:** Only set the `supervisor` role (includeing standard `user`, `me` roles) for the user’s allowed roles:
+
+```js
+await nhost.auth.signUp({
+  email: 'joe@example.com',
+  password: 'secret-password'
+  options: {
+    allowedRoles: ['user','me','supervisor']
+  }
+})
+```
+
+### Set Role for GraphQL Requests
+
+When no role is specified, the user’s default role will be used:
+
+```js
+await nhost.graphql.request(QUERY, {});
+```
+
+If you want to make a GraphQL request using a specific role, you can do so by using the `x-hasura-role` header, like this:
+
+```js
+await nhost.graphql.request(
+	QUERY,
+	{},
+	{
+		headers: {
+			'x-hasura-role': 'me'
+		}
+	}
+);
+```
+
+## Reference
+
+- [Authentication and authorization in multi-tenancy B2B scenarios](https://zitadel.com/docs/guides/solution-scenarios/b2b)

nhost/nhost.toml

@@ -8,7 +8,7 @@ name = 'ACTION_BASE_URL'
 value = 'https://console.traefik.me:5173/api/actions'
 
 [postgres]
-version = '14.6-20240129-1'
+version = '14.6-20240412-1'
 
 [postgres.settings]
 maxConnections = 100
@@ -59,12 +59,16 @@ level = 'warn'
 [hasura.events]
 httpPoolSize = 100
 
+[graphql.security]
+# forbidAminSecret = true
+maxDepthQueries = 4
+
 [functions]
 [functions.node]
 version = 18
 
 [auth]
-version = '0.28.0'
+version = '0.29.1'
 
 [auth.elevatedPrivileges]
 mode = 'required'
@@ -81,7 +85,7 @@ disableNewUsers = false
 [auth.user]
 [auth.user.roles]
 default = 'manager'
-allowed = ['user', 'me', 'manager', 'supervisor', 'engine']
+allowed = ['user', 'me', 'supervisor', 'manager', 'engine']
 
 [auth.user.locale]
 default = 'en'
@@ -209,11 +213,9 @@ method = '{{ secrets.AUTH_SMTP_AUTH_METHOD }}'
 [storage]
 version = '0.6.0'
 
-[storage.antivirus]
-server = 'tcp://run-clamav:3310'
 
 [ai]
-version = '0.4.0'
+version = '0.5.0'
 # Used to validate requests between postgres and the AI service.
 # The AI service will also include the header X-Graphite-Webhook-Secret
 # with this value set when calling external webhooks so the source of