graphql-engine

graphql-engine copied to clipboard

I would like the ability to check values in the JWT against set values (strings, booleans etc)

For example if the user's token contains 'allow_write:true` I would like to be able to check for this, rather than having to traverse the database to find the users permissions.

This will reduce the DB overhead of the security rules as it would not be necessary to retrieve data from any tables other than the one being updated (providing the user_id is on the table being updated).

There's some more detail on this towards the end of this blog post https://dev.to/lineup-ninja/modelling-teams-and-user-security-with-hasura-204i

This is just a nice to have, particularly for any users migrating from Firebase.

This would be especially useful in setups where users are managed externally (auth0, keycloak, ...). In my company users and their group memberships are managed in keycloak and this information is only available as JWT claims.

Basically I want to write a permission rule for a role "user" that says:

• check that group "manager" is in claim "x-hasura-allowed-groups" ("manager" beeing a constant here)

I dont see a way to do that now. At least when the information is only present as a JWT claim.

Im interested to contribute also. Any hints in which direction such a solution could possible go?

Related: https://github.com/hasura/graphql-engine/issues/3685