mirror of
https://github.com/hasura/graphql-engine.git
synced 2024-12-14 17:02:49 +03:00
docs: add ref from unauthenticated access docs to env var config
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9888 GitOrigin-RevId: a7274c3b78c76fd319ab9207866e8e62fcd43b30
This commit is contained in:
parent
5d9d91dbfd
commit
49659cd6ed
@ -19,18 +19,18 @@ logging in.
|
|||||||
Once you have configured an [admin secret](/deployment/securing-graphql-endpoint.mdx), by default Hasura GraphQL Engine
|
Once you have configured an [admin secret](/deployment/securing-graphql-endpoint.mdx), by default Hasura GraphQL Engine
|
||||||
will reject any unauthenticated request it receives.
|
will reject any unauthenticated request it receives.
|
||||||
|
|
||||||
You can configure the Hasura Engine to allow access to unauthenticated users by defining a specific role which will
|
You can configure the Hasura Engine to allow access to unauthenticated users by defining a specific role which will be
|
||||||
be used for all unauthenticated requests. Once an unauthenticated role is configured, unauthenticated requests will not
|
used for all unauthenticated requests. Once an unauthenticated role is configured, unauthenticated requests will not be
|
||||||
be rejected and instead will be handled as the unauthenticated user with the relevant authorization permissions
|
rejected and instead will be handled as the unauthenticated user with the relevant authorization permissions for that
|
||||||
for that role taking effect.
|
role taking effect.
|
||||||
|
|
||||||
A guide on setting up permissions for the unauthenticated role can be found
|
A guide on setting up permissions for the unauthenticated role can be found
|
||||||
[here](/auth/authorization/permissions/common-roles-auth-examples.mdx#unauthorized-users-example).
|
[here](/auth/authorization/permissions/common-roles-auth-examples.mdx#unauthorized-users-example).
|
||||||
|
|
||||||
:::warning Risk of session variables with the unauthenticated role
|
:::warning Risk of session variables with the unauthenticated role
|
||||||
|
|
||||||
You should not use [session variables](/auth/authorization/roles-variables.mdx#session-variables) in
|
You should not use [session variables](/auth/authorization/roles-variables.mdx#session-variables) in the permissions for
|
||||||
the permissions for an unauthenticated role because the source of the session variables cannot be trusted.
|
an unauthenticated role because the source of the session variables cannot be trusted.
|
||||||
|
|
||||||
Since session variables can be passed using request headers and they are not verified through the JWT or webhook
|
Since session variables can be passed using request headers and they are not verified through the JWT or webhook
|
||||||
authentication methods or utilize an admin secret, a user can choose to set any values for them and bypass the
|
authentication methods or utilize an admin secret, a user can choose to set any values for them and bypass the
|
||||||
@ -40,15 +40,16 @@ permissions.
|
|||||||
|
|
||||||
## Configuring unauthenticated / public access
|
## Configuring unauthenticated / public access
|
||||||
|
|
||||||
You can use the env variable `HASURA_GRAPHQL_UNAUTHORIZED_ROLE` or the `--unauthorized-role` flag to define a role for
|
You can use the env variable
|
||||||
unauthenticated (non-logged in) users. See
|
[`HASURA_GRAPHQL_UNAUTHORIZED_ROLE` or the `--unauthorized-role` flag](/deployment/graphql-engine-flags/reference.mdx#unauthorized-role)
|
||||||
[GraphQL Engine server config reference](/deployment/graphql-engine-flags/index.mdx) for more details on setting
|
to define a role for unauthenticated (non-logged in) users. See
|
||||||
this flag or environment variable.
|
[GraphQL Engine server config reference](/deployment/graphql-engine-flags/index.mdx) for more details on setting this
|
||||||
|
flag or environment variable.
|
||||||
|
|
||||||
### No-auth setup
|
### No-auth setup
|
||||||
|
|
||||||
When JWT or webhook modes are not configured, and the request does not contain the admin secret
|
When JWT or webhook modes are not configured, and the request does not contain the admin secret header, then every
|
||||||
header, then every request is considered an unauthenticated request.
|
request is considered an unauthenticated request.
|
||||||
|
|
||||||
### JWT
|
### JWT
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user