2020-01-14 15:57:45 +03:00
.. meta ::
:description: Use authenticaton with webhooks in Hasura
:keywords: hasura, docs, authentication, auth, webhook
2020-03-11 22:42:36 +03:00
.. _auth_webhooks:
2019-05-17 15:03:35 +03:00
Authentication using webhooks
=============================
.. contents :: Table of contents
:backlinks: none
:depth: 2
:local:
Introduction
------------
2019-09-11 10:17:14 +03:00
You can configure the GraphQL engine to use a webhook to authenticate all incoming requests to the Hasura GraphQL engine server.
2019-05-17 15:03:35 +03:00
.. thumbnail :: ../../../../img/graphql/manual/auth/webhook-auth.png
2020-01-08 16:20:18 +03:00
:alt: Authentication using webhooks
2019-05-17 15:03:35 +03:00
.. admonition :: Prerequisite
2020-03-11 22:42:36 +03:00
It is mandatory to first :ref: `secure your GraphQL endpoint <securing_graphql_endpoint>` for the webhook mode to take effect.
2019-05-17 15:03:35 +03:00
In webhook mode, on a secured endpoint:
2019-09-11 10:17:14 +03:00
- The configured webhook is **called** when the `` X-Hasura-Admin-Secret `` header is not found in the request.
- The configured webhook is **ignored** when the `` X-Hasura-Admin-Secret `` header is found in the request and
2019-05-17 15:03:35 +03:00
admin access is granted.
Configuring webhook mode
------------------------
2020-03-11 22:42:36 +03:00
* You can configure Hasura to run in webhook mode by running the GraphQL engine with the `` --auth-hook `` flag or the `` HASURA_GRAPHQL_AUTH_HOOK `` environment variable (see :ref: `GraphQL engine server options <server_flag_reference>` ), the value of which is the webhook endpoint.
2019-05-17 15:03:35 +03:00
2020-03-11 22:42:36 +03:00
* You can configure Hasura to send either a `` GET `` or a `` POST `` request to your auth webhook. The default configuration is `` GET `` and you can override this with `` POST `` by using the `` --auth-hook-mode `` flag or the `` HASURA_GRAPHQL_AUTH_HOOK_MODE `` environment variable (*in addition to those specified above; see* :ref: `GraphQL engine server options <server_flag_reference>` ).
2019-05-17 15:03:35 +03:00
Spec for the webhook
--------------------
Request
^^^^^^^
GET request
+++++++++++
.. code-block :: http
GET https://<your-custom-webhook>/ HTTP/1.1
<Header-Key>: <Header-Value>
If you configure your webhook to use `` GET `` , then Hasura **will forward all client headers except** :
- `` Content-Length ``
- `` Content-Type ``
- `` Content-MD5 ``
- `` User-Agent ``
- `` Host ``
- `` Origin ``
- `` Referer ``
- `` Accept ``
- `` Accept-Encoding ``
- `` Accept-Language ``
- `` Accept-Datetime ``
- `` Cache-Control ``
- `` Connection ``
- `` DNT ``
POST request
++++++++++++
.. code-block :: http
POST https://<your-custom-webhook>/ HTTP/1.1
Content-Type: application/json
{
"headers": {
"header-key1": "header-value1",
"header-key2": "header-value2"
}
}
2019-09-11 10:17:14 +03:00
If you configure your webhook to use `` POST `` , then Hasura **will send all client headers in payload** .
2019-05-17 15:03:35 +03:00
Response
^^^^^^^^
Success
+++++++
To allow the GraphQL request to go through, your webhook must return a `` 200 `` status code.
You should send the `` X-Hasura-* `` "session variables" to your permission rules in Hasura.
.. code-block :: http
HTTP/1.1 200 OK
Content-Type: application/json
{
"X-Hasura-User-Id": "25",
"X-Hasura-Role": "user",
"X-Hasura-Is-Owner": "true",
"X-Hasura-Custom": "custom value"
}
.. note ::
All values should be `` String `` . They will be converted to the right type automatically.
Failure
+++++++
2019-09-11 10:17:14 +03:00
If you want to deny the GraphQL request, return a `` 401 Unauthorized `` exception.
2019-05-17 15:03:35 +03:00
.. code-block :: http
HTTP/1.1 401 Unauthorized
.. note ::
2019-09-11 10:17:14 +03:00
Anything other than a `` 200 `` or `` 401 `` response from webhook makes the server raise a `` 500 Internal Server Error ``
2019-05-17 15:03:35 +03:00
exception.
Auth webhook samples
--------------------
We have put together a `GitHub Node.js repo <https://github.com/hasura/graphql-engine/tree/master/community/boilerplates/auth-webhooks/nodejs-express> `__ that has some sample auth
webhooks configured.
You can deploy these samples using `glitch <https://glitch.com/> `__ :
.. image :: https://raw.githubusercontent.com/hasura/sample-auth-webhook/master/assets/deploy-glitch.png
:width: 200px
:alt: deploy_auth_webhook_with_glitch
:class: no-shadow
:target: http://glitch.com/edit/#!/import/github/hasura/sample-auth-webhook
Once deployed, you can use any of the following endpoints as your auth webhook in the GraphQL engine:
- `` /simple/webhook `` (`View source <https://github.com/hasura/graphql-engine/blob/master/community/boilerplates/auth-webhooks/nodejs-express/server.js> `__ )
- `` /firebase/webhook `` (`View source <https://github.com/hasura/graphql-engine/blob/master/community/boilerplates/auth-webhooks/nodejs-express/firebase/firebaseHandler.js> `__ )
.. note ::
2019-09-11 10:17:14 +03:00
If you are using `` Firebase `` , you will have to set the associated environment variables.
