nhost
feat: apply defaults for customClaims
Fixes #610
Before submitting this PR:
Checklist
- [x] No breaking changes
- [x] Tests pass
- [x] New features have new tests
- [x] Documentation is updated
Breaking changes
Avoid breaking changes and regressions. If you feel it is unavoidable, make it explicit in your PR comment so we can review it and see how to handle it.
Tests
- please make sure your changes pass the current tests (Use the
make testor themake watchcommand). - if you are introducing a new feature, please write as much tests as possible.
Documentation
Please make sure the documentation is updated accordingly, in particular:
- Workflows. Workflows are Mermaid sequence diagrams
- Schema. The schema in a Mermaid ER diagram
- Environment variables. Please adjust the .env.example file accordingly
- OpenApi specifications. We are using inline JSDoc annotations
Would you mind testing and letting me know if it works? I applied a couple of patches that suggested that it didn't work
Sure @dbarrosop is there a docker image published or , should I build myself ?
Use the dev environment in this repo. Once we confirm this is working we can build a beta image. If you don't know how to start the environment you can start in make build-docker-image and make dev-env-up
dev-env-up
with local built image, I am getting 404 error for any of the Auth APIs
e.g.,
curl http://localhost:4000/v1/version
{"status":404,"message":"Route not found","error":"route-not-found"}
not working
curl https://local.auth.local.nhost.run/version
404 page not found
working with make dev-env-up, I can hit API without /v1
would nice if I can do e2e test with nhost up with my real config in nhost.toml
I guess nhost cli need to be updated to support CustomClaimsDefaults
@dbarrosop need your help. I need to test with my local nhost.toml for testing custom claims defaults coming from my database schema.
It will be hard to reproduce with build/dev/docker/docker-compose.yaml in nhost/hasura-auth to simulate like my env.
So tried
- Build auth image in my branch with
make build-docker-image - Update my
nhost/nhost.tomlto use new image0.0.0-devand addedCustomClaimsDefaults
[auth]
# version = '0.37.1'
version = '0.0.0-dev'
[[auth.session.accessToken.customClaims]]
key = 'default-org'
value = 'defaultOrg'
[[auth.session.accessToken.customClaims]]
key = 'allowed-orgs'
value = 'allowedOrgs.orgId[]'
[[auth.session.accessToken.customClaims]]
key = 'user-email'
value = 'email'
[[auth.session.accessToken.CustomClaimsDefaults]]
key = 'default-org'
value = '00000000-0000-0000-0000-000000000000'
- Started stack normally with
nhost up --apply-seedsto let it generate.nhost/docker-compose.yamletc. - Edited generated
.nhost/docker-compose.yamlfile to addAUTH_JWT_CUSTOM_CLAIMS_DEFAULTSas nhost CLI not yet add this variable.
services:
auth:
image: nhost/hasura-auth:0.0.0-dev
depends_on:
graphql:
condition: service_healthy
postgres:
condition: service_healthy
environment:
AUTH_API_PREFIX: /v1
AUTH_CLIENT_URL: https://console.traefik.me:5173
AUTH_JWT_CUSTOM_CLAIMS: '{"allowed-orgs":"allowedOrgs.orgId[]","default-org":"defaultOrg","user-email":"email"}'
AUTH_JWT_CUSTOM_CLAIMS_DEFAULTS: '{"default-org":"00000000-0000-0000-0000-000000000000"}'
AUTH_PORT: "4000"
AUTH_SERVER_URL: https://local.auth.local.nhost.run/v1
AUTH_SMTP_AUTH_METHOD: LOGIN
...
- Restarted stack with
docker compose --project-directory . -f .nhost/docker-compose.yaml -p spectacular up -d --wait --remove-orphans - In the auth server logs I see:
auth-1 | {"time":"2025-03-23T15:54:54.235071857Z","level":"INFO","msg":"auth v0.0.0-dev"}
auth-1 | {"time":"2025-03-23T15:54:54.235179732Z","level":"INFO","msg":"starting program","flags":{"api-prefix":"/v1","port":"4000","debug":{},"log-format-text":{},"postgres":"********","postgres-migrations":"********","node-server-path":"/nix/store/ch2cyq6y8ivkjv84gxxyxxvf6jk6dn3m-node-hasura-auth-hardcoded","disable-signup":{},"conceal-errors":{},"default-allowed-roles":{},"default-role":"user","default-locale":"en","allowed-locales":{},"disable-new-users":{},"gravatar-enabled":{},"gravatar-default":{"Enum":["blank","identicon","monsterid","wavatar","retro","robohash","mp","404"],"Default":"blank"},"gravatar-rating":{"Enum":["g","pg","r","x"],"Default":"g"},"refresh-token-expires-in":"********","access-tokens-expires-in":"********","hasura-graphql-jwt-secret":"********","email-verification-required":{},"smtp-host":"mailhog","smtp-port":1025,"smtp-secure":{},"smtp-user":"user","smtp-password":"********","smtp-sender":"[email protected]","smtp-api-header":"","smtp-auth-method":{"Enum":["LOGIN","PLAIN","CRAM-MD5"],"Default":"PLAIN"},"client-url":"https://console.traefik.me:5173","allow-redirect-urls":{},"server-url":"https://local.auth.local.nhost.run/v1","enable-change-env":{},"custom-claims":"{\"allowed-orgs\":\"allowedOrgs.orgId[]\",\"default-org\":\"defaultOrg\",\"user-email\":\"email\"}","graphql-url":"http://graphql:8080/v1/graphql","hasura-admin-secret":"********","password-min-length":"********","password-hibp-enabled":"********","templates-path":"/app/email-templates","block-email-domains":{},"block-emails":{},"allowed-email-domains":{},"allowed-emails":{},"email-passwordless-enabled":"********","require-elevated-claim":{"Enum":["disabled","recommended","required"],"Default":"disabled"},"webauthn-enabled":{},"webauthn-rp-name":"Spectacular Console App","webauthn-rp-id":"","webauthn-rp-origins":{},"webauthn-attestation-timeout":60000,"rate-limit-enable":{},"rate-limit-global-burst":100,"rate-limit-global-interval":900000000000,"rate-limit-email-burst":10,"rate-limit-email-interval":3600000000000,"rate-limit-email-is-global":{},"rate-limit-sms-burst":10,"rate-limit-sms-interval":3600000000000,"rate-limit-brute-force-burst":10,"rate-limit-brute-force-interval":300000000000,"rate-limit-signups-burst":100,"rate-limit-signups-interval":300000000000,"rate-limit-memcache-server":"","rate-limit-memcache-prefix":"","turnstile-secret":"********","apple-audience":"","google-audience":"","otp-email-enabled":{},"help":{},"version":{}}}
auth-1 | {"level":"info","message":"Log level: info"}
auth-1 | {"level":"info","message":"Waiting for Hasura to be ready..."}
auth-1 | {"level":"info","message":"Hasura is ready"}
auth-1 | {"level":"info","message":"Applying SQL migrations..."}
auth-1 | {"level":"info","message":"SQL migrations applied"}
auth-1 | {"level":"info","message":"Applying metadata..."}
auth-1 | {"level":"info","message":"Metadata applied"}
auth-1 | {"level":"info","message":"Running on port 4001"}
- In the logs, I was expecting to see
custom-claims-defaultsbut don't see it. - Either
https://local.auth.local.nhost.run/v1/versionorhttps://local.auth.local.nhost.run/versionreturn 404 error.
Please advise if I am doing something wrong.
In the logs, I was expecting to see custom-claims-defaults but don't see it. I also don't see such flag in this PR ;) I think you need to change coding agent, this one doesn't seem to be doing a good job :P search for any other flag constant and you will see what you are mising
Either https://local.auth.local.nhost.run/v1/version or https://local.auth.local.nhost.run/version return 404 error.
No idea, if you are just running that command with the docker compose generated by the CLI GET /v1/version should work. Based on the logs you shared I don't even see the request so make sure you don't have something else running that might be intercepting the request. Otherwise, curl -v output plus auth logs might give some clues
- As you suggested, I killed all docker processes and run it again. Now both curl and auth API working as expected.
- I have the new flag:
flagCustomClaimsDefaultsin the PR:
- As you suggested, I killed all docker processes and run it again. Now both curl and auth API working as expected.
Sorry too early, I need to apply following schema changes that I used as workaround for setting user.default-org to uuid_nil(). I should not need workaround with this PR:
https://github.com/xmlking/spectacular/pull/350/files
Update:
Got JWT with PR
curl 'https://local.auth.local.nhost.run/v1/signin/email-password' \
-H 'content-type: application/json' \
--data-raw '{"email":"[email protected]","password":"xyz"}'
{
"exp": 1742784794,
"https://hasura.io/jwt/claims": {
"x-hasura-allowed-orgs": "{}",
"x-hasura-allowed-roles": [
"user",
"me"
],
"x-hasura-default-org": "null",
"x-hasura-default-role": "user",
"x-hasura-user-email": "[email protected]",
"x-hasura-user-id": "cf76daf5-1b6b-4b4c-8585-4ce5c55fb25b",
"x-hasura-user-is-anonymous": "false"
},
"iat": 1742783894,
"iss": "hasura-auth",
"sub": "cf76daf5-1b6b-4b4c-8585-4ce5c55fb25b"
}
Still debugging why the PR not setting x-hasura-default-org to 00000000-0000-0000-0000-000000000000
You don't have the flag configured, you have a constant defined but there is no flag defined. Proof of that is that it doesn't show during the initialization process.
You don't have the flag configured, you have a constant defined but there is no flag defined. Proof of that is that it doesn't show during the initialization process.
Thanks @dbarrosop fixed it. Also has to check nil and fill with default in ExtractClaims()
if got == nil {
claims[name] = c.defaultOrNil(name)
} else {
claims[name] = got
}
unfortunately looks like tests for the older node code are not passing : (
Thanks, everything looks green. I will try to find some time to review and test a bit more thoroughly. The next 2-3 weeks are a bit packed for us but I will try to squeeze some time.
Just wanted to let you know I haven't forgotten about this but due to easter and other priorities I haven't had the time yet, sorry.
Hello, thanks, I think you tried to rebase but somehow it didn't go well as it is showing commits and changes unrelated to your PR. If it's easier feel free to just close the PR and open a new one (been there, done that millions of times)
Thanks for your patience.
Regards
Hello, thanks, I think you tried to rebase but somehow it didn't go well as it is showing commits and changes unrelated to your PR. If it's easier feel free to just close the PR and open a new one (been there, done that millions of times)
Thanks for your patience.
Regards
sure. will do next week. Thanks