How to handle permissions serverless funtion

[shansmith01]

Hi,

I am setting up a cron job to hit a nextjs api route which in turn triggers a mutation in hassura. I would like to put some sort of authentication on this, say via an API key.

My cron system can set headers, is it possible to say have an api key sent along in the header and having a permission set up say "Admin API" can make mutations

Sorry if that's no very clear. Just want to protect and old jo hitting my api routes

Thanks. Love your work

[wwwdepot]

1. If you feel comfortable using admin access key, use that.
2. You can create a table call tokens, and set a role server and perform a custom check against the token table.

Use custom headers sent to hasura. Forward other headers to hasura if you going to them for permission checks

{
    "X-Hasura-Token": "your_secret_token",
    "X-Hasura-Role": "server"
}

row select permissions

{"_exists":{"_table":{"schema":"public","name":"tokens"},"_where":{"token":{"_eq":"X-Hasura-Token"}}}}

[shansmith01]

Thanks for getting back to me.

I tried number 2, but It still seems to want me to use the admin secret or send a JWT along with and Authorization Header as I am in JWT mode

Any thoughts?

[rikinsk]

@shansmith01 There are 3 ways for you to get past the auth system once its set up:

• use the admin secret - You can always pass the admin secret in the x-hasura-admin-secret header and to get admin access on the the api. (not recommended unless admin secret security can be managed)
• use a JWT ( docs ) - You can generate a JWT for your cron process with a particular role and set up permissions in Hasura to allow the appropriate mutations for the role. (ideal solution )
• set up an unauthenticated role ( docs ) to avoid setting up a JWT and then pass an extra token as a header along with the token exists permission check for the unauthorized role as described in the previous comment (not as recommended as the previous solution)