docs: add ref from unauthenticated access docs to env var config

PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9888
GitOrigin-RevId: a7274c3b78c76fd319ab9207866e8e62fcd43b30
This commit is contained in:
Rob Dominguez 2023-07-18 10:45:28 -05:00 committed by hasura-bot
parent 5d9d91dbfd
commit 49659cd6ed

View File

@ -19,18 +19,18 @@ logging in.
Once you have configured an [admin secret](/deployment/securing-graphql-endpoint.mdx), by default Hasura GraphQL Engine Once you have configured an [admin secret](/deployment/securing-graphql-endpoint.mdx), by default Hasura GraphQL Engine
will reject any unauthenticated request it receives. will reject any unauthenticated request it receives.
You can configure the Hasura Engine to allow access to unauthenticated users by defining a specific role which will You can configure the Hasura Engine to allow access to unauthenticated users by defining a specific role which will be
be used for all unauthenticated requests. Once an unauthenticated role is configured, unauthenticated requests will not used for all unauthenticated requests. Once an unauthenticated role is configured, unauthenticated requests will not be
be rejected and instead will be handled as the unauthenticated user with the relevant authorization permissions rejected and instead will be handled as the unauthenticated user with the relevant authorization permissions for that
for that role taking effect. role taking effect.
A guide on setting up permissions for the unauthenticated role can be found A guide on setting up permissions for the unauthenticated role can be found
[here](/auth/authorization/permissions/common-roles-auth-examples.mdx#unauthorized-users-example). [here](/auth/authorization/permissions/common-roles-auth-examples.mdx#unauthorized-users-example).
:::warning Risk of session variables with the unauthenticated role :::warning Risk of session variables with the unauthenticated role
You should not use [session variables](/auth/authorization/roles-variables.mdx#session-variables) in You should not use [session variables](/auth/authorization/roles-variables.mdx#session-variables) in the permissions for
the permissions for an unauthenticated role because the source of the session variables cannot be trusted. an unauthenticated role because the source of the session variables cannot be trusted.
Since session variables can be passed using request headers and they are not verified through the JWT or webhook Since session variables can be passed using request headers and they are not verified through the JWT or webhook
authentication methods or utilize an admin secret, a user can choose to set any values for them and bypass the authentication methods or utilize an admin secret, a user can choose to set any values for them and bypass the
@ -40,15 +40,16 @@ permissions.
## Configuring unauthenticated / public access ## Configuring unauthenticated / public access
You can use the env variable `HASURA_GRAPHQL_UNAUTHORIZED_ROLE` or the `--unauthorized-role` flag to define a role for You can use the env variable
unauthenticated (non-logged in) users. See [`HASURA_GRAPHQL_UNAUTHORIZED_ROLE` or the `--unauthorized-role` flag](/deployment/graphql-engine-flags/reference.mdx#unauthorized-role)
[GraphQL Engine server config reference](/deployment/graphql-engine-flags/index.mdx) for more details on setting to define a role for unauthenticated (non-logged in) users. See
this flag or environment variable. [GraphQL Engine server config reference](/deployment/graphql-engine-flags/index.mdx) for more details on setting this
flag or environment variable.
### No-auth setup ### No-auth setup
When JWT or webhook modes are not configured, and the request does not contain the admin secret When JWT or webhook modes are not configured, and the request does not contain the admin secret header, then every
header, then every request is considered an unauthenticated request. request is considered an unauthenticated request.
### JWT ### JWT