hasura-auth icon indicating copy to clipboard operation
hasura-auth copied to clipboard
verified publisher icon nhost

Error: "Your requested role is not in allowed roles"

Open mmlngl opened this issue 1 year ago • 6 comments

After upgrading from Auth version 0.21.2 to 0.32.1, I'm locked out of huge parts of my app. Anonymous users also loose access.

Original post: https://discord.com/channels/552499021260914688/1256230901059293226

I can confirm: reverting to 0.21.2 solves the issue.

Important Updates

  • It's nothing to do with whether or not a user is registered via the nhost dashboard.
  • Normal behaviour is to NOT add an entry in the auth.user_roles table for every user with role user

mmlngl avatar Jun 28 '24 13:06 mmlngl

I can neither confirm or deny that 0.27.0 works as I can't register users.

Relevant log in docker:

2024-06-28 14:32:16 {"time":"2024-06-28T13:32:16.017060178Z","level":"ERROR","msg":"call completed with errors","trace":{"trace_id":"26005cf2-d696-46e3-80f6-726b6cceaf17","span_id":"","parent_span_id":""},"request":{"status_code":500,"latency_time":103376542,"client_ip":"192.168.65.1","method":"POST","url":"/v1/signup/email-password","errors":["error inserting user: ERROR: permission denied for table event_log (SQLSTATE 42501)"]}}

other config:

[hasura]
version = 'v2.38.0-ce'

[functions]
[functions.node]
version = 18

[auth]
version = '0.27.0'

[postgres]
version = '14.11-20240515-1'

[storage]
version = '0.6.0'

mmlngl avatar Jun 28 '24 13:06 mmlngl

0.26.0 is 🟢

mmlngl avatar Jun 28 '24 13:06 mmlngl

More investigation today.

I managed to get this configuration working:

[postgres]
version = '14.11-20240515-1'
[storage]
version = '0.6.0'
[hasura]
version = 'v2.38.0-ce'
[auth]
version = '0.21.2'

Upgrading to [auth] version = '0.32.0' triggers Your requested role is not in allowed roles

mmlngl avatar Jul 01 '24 16:07 mmlngl

this error you shared:

2024-06-28 14:32:16 {"time":"2024-06-28T13:32:16.017060178Z","level":"ERROR","msg":"call completed with errors","trace":{"trace_id":"26005cf2-d696-46e3-80f6-726b6cceaf17","span_id":"","parent_span_id":""},"request":{"status_code":500,"latency_time":103376542,"client_ip":"192.168.65.1","method":"POST","url":"/v1/signup/email-password","errors":["error inserting user: ERROR: permission denied for table event_log (SQLSTATE 42501)"]}}

that's a different one that you can fix by running the following SQL:

GRANT USAGE ON SCHEMA hdb_catalog TO nhost_auth_admin;
GRANT CREATE ON SCHEMA hdb_catalog TO nhost_auth_admin;
GRANT ALL ON ALL TABLES IN SCHEMA hdb_catalog TO nhost_auth_admin;
GRANT ALL ON ALL SEQUENCES IN SCHEMA hdb_catalog TO nhost_auth_admin;
GRANT ALL ON ALL FUNCTIONS IN SCHEMA hdb_catalog TO nhost_auth_admin;

Latest postgres image (which you are using based on the info above) should have these permissions, not sure why you are missing them. In any case, this is a one-time fix, run the SQL above and that error should be gone.

I am still trying to reproduce the error "Your requested role is not in allowed roles" but failing to do so. A few questions:

  1. How was the user created? Do you know the approximate request? Was it a regular signup/email-password? Deanonymazation? Some other mechanism? Any extra options being passed?
  2. Which auth version was it used?
  3. Which version is triggering the error? I am assuming 0.32.1
  4. What is the signin request you are making? Any extra options being passed?

dbarrosop avatar Jul 01 '24 20:07 dbarrosop

I am seeing the above mentioned error (Your requested role is not in allowed role) fairly often on auth 0.32.1.

It typically happens immediately after I sign in and after a few refreshes (CMD+R) of the page it is working as expected.

Just to give my input on your questions above, @dbarrosop:

  1. My user was created using the Nhost Dashboard
  2. Good question but likely a version prior to 0.32.1, my best guess is 0.32.0 but I am not 100% on that.
  3. Currently happening on 0.32.1
  4. Signing in with email/password. using await nhost.auth.signIn({ email, password });.

A couple of observations:

  • I have not been able to trigger this error on any version of my application that have been deployed to Vercel, I am only seeing the error occuring when on my localhost connecting to my Nhost env running locally.
  • When logging the response from nhost.auth.signIn I've observed that the roles-field is empty ([]) and the same is the identical field in the output from useUserData for the first couple of refreshes and then at some point it becomes populated with the roles as expected and the calls to the API also works as expected.

hrmoller avatar Aug 13 '24 19:08 hrmoller

Thanks, that's very useful info. I will see if I can replicate with the info you provided.

dbarrosop avatar Aug 14 '24 14:08 dbarrosop

I think this one should be fixed now, this was a bit of a tricky one but I think the issue was due to some strange bug in the dashboard that was fixed recently. If anyone can still replicate this issue, please, let us know.

dbarrosop avatar Jan 07 '25 11:01 dbarrosop