graphql-engine icon indicating copy to clipboard operation
graphql-engine copied to clipboard

Published 20 hours ago verified publisher icon hasura

REST endpoints do not send request body to auth webhook

Open ProfXponent opened this issue 6 months ago • 1 comments

Version Information

Server Version: v2.37.0

Environment

CE

What is the current behaviour?

When authenticating REST endpoint calls hasura does not sent the REST request body.

This causes problems with platforms like stripe where you need to verify the stripe webhook request body with their stripe-signature header.

Using hasura in the POST auth webhook configuration just passes a null request body to the auth webhook making it impossible to verify that validity of the stripe webhook call.

What is the expected behaviour?

That hasura would pass along the gql request body for the underlying REST endpoint as the documentation describes.

How to reproduce the issue?

  1. Create an auth webhook and run hasura in POST auth webhook mode
  2. Create a REST endpoint in hasura making a authenticated gql query
  3. Log the request body of the auth webhook call.
  4. Verify the headers property and note the null value of the request property.

Please provide any traces or logs that could help here.

web                             | [NEXT] body {
web                             | [NEXT]   headers: {
web                             | [NEXT]     Accept: '*/*; q=0.5, application/xml',
web                             | [NEXT]     'Accept-Encoding': 'gzip',
web                             | [NEXT]     'Cache-Control': 'no-cache',
web                             | [NEXT]     'Content-Length': '7159',
web                             | [NEXT]     'Content-Type': 'application/json; charset=utf-8',
web                             | [NEXT]     Host: 'graphql-engine.prof.dev.x.sh',
web                             | [NEXT]     'Stripe-Signature': 't=1724395973,v1=xxx',
web                             | [NEXT]     'User-Agent': 'Stripe/1.0 (+https://stripe.com/docs/webhooks)',
web                             | [NEXT]     'X-Forwarded-For': '192.168.65.1',
web                             | [NEXT]     'X-Forwarded-Host': 'graphql-engine.prof.dev.x.sh',
web                             | [NEXT]     'X-Forwarded-Port': '443',
web                             | [NEXT]     'X-Forwarded-Proto': 'https',
web                             | [NEXT]     'X-Forwarded-Server': '01b8639a93c8',
web                             | [NEXT]     'X-Real-Ip': '192.168.65.1',
web                             | [NEXT]     'x-request-id': 'c7764582-44fc-491c-b186-ab7f8c1986b1'
web                             | [NEXT]   },
web                             | [NEXT]   request: null
web                             | [NEXT] }

Any possible solutions/workarounds you're aware of?

Writing a Go service to do this instead.

ProfXponent avatar Aug 23 '24 07:08 ProfXponent