Skip to content

Actions codegen should generate or make note about headers from request #5140

New issue
New issue
Open
Open
Actions codegen should generate or make note about headers from request#5140
Labels
a/authzIssues related to "authorization" and the policy engine after session claims are procesedc/actionsRelated to actionsc/actions/codegen
@ntt2k

Description

@ntt2k
ntt2k
opened on Jun 18, 2020

This may be just a suggestion. When using codegen from actions, the headers won't be captured and send back to Hasura if you choose to execute the parent operation in Hasura at some point.

This decision left up to the developer to manually edit/modify the headers before sending it back to the parent operation in Hasura --> which I think it's good for security!

But most developers will secure their Hasura endpoint with token like JWT and left wonder why Hasura reject when callback with the message:

"Missing Authorization header in JWT authentication mode"

Example codegen nodejs-express Hasura v1.22.

Current codegen:

// execute the parent operation in Hasura
const execute = async (variables) => {
  const fetchResponse = await fetch(
    "http://localhost:8050/v1/graphql",
    {
      method: 'POST',
      body: JSON.stringify({
        query: HASURA_OPERATION,
        variables
      })
    }
  );
  const data = await fetchResponse.json();
  console.log('DEBUG: ', data);
  return data;
};


// Request Handler
app.post('/update_some_property', async (req, res) => {
  // get request input
  const { someId } = req.body.input;

  // run some business logic

  // execute the parent operation in Hasura
  const { data, errors } = await execute({ someId });

  // if Hasura operation errors, then throw error
  if (errors) {
    return res.status(400).json(errors[0])
  }

  // success
  return res.json(data)
});

Proposed codegen:

// execute the parent operation in Hasura
const execute = async (headers, variables) => {
  const fetchResponse = await fetch(
    "http://localhost:8050/v1/graphql",
    {
      method: 'POST',
      headers,
      body: JSON.stringify({
        query: HASURA_OPERATION,
        variables
      })
    }
  );
  const data = await fetchResponse.json();
  console.log('DEBUG: ', data);
  return data;
};


// Request Handler
app.post('/update_some_property', async (req, res) => {
  // get request headers; or make note developer should edit/modify headers here
  const { headers } = req;

  // get request input
  const { someId } = req.body.input;

  // run some business logic

  // execute the parent operation in Hasura
  const { data, errors } = await execute(headers, { someId });

  // if Hasura operation errors, then throw error
  if (errors) {
    return res.status(400).json(errors[0])
  }

  // success
  return res.json(data)
});

I guess what I try to say is codegen (and Hasura documentation) should make sure developer aware of headers not being sent back and it's up to the developer to do it the right way (take into consideration of security and authorization)

*Note: I know there some slightly related open tickets and hot debate around security for action handlers. I just put them here for references:

#4645
#5112
#4722

Metadata

Metadata

Assignees

No one assigned

    Labels

    a/authzIssues related to "authorization" and the policy engine after session claims are procesedc/actionsRelated to actionsc/actions/codegen

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions