From 49659cd6ed9ec4daa1ce7b48fd3e639cc019e96a Mon Sep 17 00:00:00 2001 From: Rob Dominguez Date: Tue, 18 Jul 2023 10:45:28 -0500 Subject: [PATCH] docs: add ref from unauthenticated access docs to env var config PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9888 GitOrigin-RevId: a7274c3b78c76fd319ab9207866e8e62fcd43b30 --- .../authentication/unauthenticated-access.mdx | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/docs/docs/auth/authentication/unauthenticated-access.mdx b/docs/docs/auth/authentication/unauthenticated-access.mdx index cdc4f5082da..96b26f57cd1 100644 --- a/docs/docs/auth/authentication/unauthenticated-access.mdx +++ b/docs/docs/auth/authentication/unauthenticated-access.mdx @@ -19,18 +19,18 @@ logging in. Once you have configured an [admin secret](/deployment/securing-graphql-endpoint.mdx), by default Hasura GraphQL Engine will reject any unauthenticated request it receives. -You can configure the Hasura Engine to allow access to unauthenticated users by defining a specific role which will -be used for all unauthenticated requests. Once an unauthenticated role is configured, unauthenticated requests will not -be rejected and instead will be handled as the unauthenticated user with the relevant authorization permissions -for that role taking effect. +You can configure the Hasura Engine to allow access to unauthenticated users by defining a specific role which will be +used for all unauthenticated requests. Once an unauthenticated role is configured, unauthenticated requests will not be +rejected and instead will be handled as the unauthenticated user with the relevant authorization permissions for that +role taking effect. A guide on setting up permissions for the unauthenticated role can be found [here](/auth/authorization/permissions/common-roles-auth-examples.mdx#unauthorized-users-example). :::warning Risk of session variables with the unauthenticated role -You should not use [session variables](/auth/authorization/roles-variables.mdx#session-variables) in -the permissions for an unauthenticated role because the source of the session variables cannot be trusted. +You should not use [session variables](/auth/authorization/roles-variables.mdx#session-variables) in the permissions for +an unauthenticated role because the source of the session variables cannot be trusted. Since session variables can be passed using request headers and they are not verified through the JWT or webhook authentication methods or utilize an admin secret, a user can choose to set any values for them and bypass the @@ -40,15 +40,16 @@ permissions. ## Configuring unauthenticated / public access -You can use the env variable `HASURA_GRAPHQL_UNAUTHORIZED_ROLE` or the `--unauthorized-role` flag to define a role for -unauthenticated (non-logged in) users. See -[GraphQL Engine server config reference](/deployment/graphql-engine-flags/index.mdx) for more details on setting -this flag or environment variable. +You can use the env variable +[`HASURA_GRAPHQL_UNAUTHORIZED_ROLE` or the `--unauthorized-role` flag](/deployment/graphql-engine-flags/reference.mdx#unauthorized-role) +to define a role for unauthenticated (non-logged in) users. See +[GraphQL Engine server config reference](/deployment/graphql-engine-flags/index.mdx) for more details on setting this +flag or environment variable. ### No-auth setup -When JWT or webhook modes are not configured, and the request does not contain the admin secret -header, then every request is considered an unauthenticated request. +When JWT or webhook modes are not configured, and the request does not contain the admin secret header, then every +request is considered an unauthenticated request. ### JWT