Enabling Webhook Authentication
Introduction
You can enable your Hasura DDN instance to use an auth webhook in just a few steps.
Step 1. Shaping the webhook request and response
Request
Your webhook should accept either a GET or POST request. Below is an example of the request headers your webhook might process:
{
"headers": {
"Authorization": "Bearer some-token",
"Content-Type": "application/json"
}
}
When a request is sent to Hasura, these headers will be forwarded to your webhook.
Parsing
Your webhook is then responsible for parsing, validating, and using the token passed in the header. It will need to:
-
Extract the Token: Retrieve the Authorization header from the incoming request and extract the token.
-
Validate the Token: Use a library or your own logic to validate the token. This involves verifying the token's signature and decoding its payload to extract user information.
Response
Based on the validation result, the webhook will need to respond with either a 200 status code (for a valid token) or
a 401 status code (for an invalid or missing token).
To allow the GraphQL request to go through, your webhook must return a 200 status code. You should respond with
session variables beginning with X-Hasura-* in the body of your response. The value of each session variable can be
any JSON value. These will be available to your permissions in Hasura.
You will, at least, need to set the X-Hasura-Role session variable to let the Hasura DDN know which role to use for
this request. Unlike JWT auth mode, you do not have to pass
X-Hasura-Allowed-Roles or X-Hasura-Default-Role session variables. This is because the webhook is called for each
request, allowing the auth service to easily switch the user role if needed.
In the example below the X-Hasura-Is-Owner and X-Hasura-Custom are examples of custom session variables which can be
used to enforce permissions in your supergraph.
HTTP/1.1 200 OK
Content-Type: application/json
{
"X-Hasura-User-Id": 25,
"X-Hasura-Role": "user",
"X-Hasura-Is-Owner": "true",
"X-Hasura-Custom": "custom value"
}
Step 2. Update your AuthConfig
Hasura utilizes an AuthConfig object that allows you to define the configuration
for your authentication service. The auth-config.hml file can be found in your globals directory.
You can use
Hasura's VS Code extension
to scaffold out your AuthConfig object by typing AuthConfig and selecting this object from the list of available
options. As you navigate through the skeleton, you can type CTRL+SPACEBAR at any point to reveal options for the
different key-value pairs.
In the example below, we're demonstrating a sample authentication webhook.
kind: AuthConfig
version: v2
definition:
mode:
webhook:
url: http://auth_hook:3050/validate-request
method: Post
What we've provided above is a sample configuration. However, there are many options available, which you can learn about here.
Step 3. Rebuild your supergraph
Once you've updated your auth-config.hml, you can rebuild your supergraph and test it locally.
ddn supergraph build local \
--supergraph supergraph.yaml \
--env-file .env
Step 4. Make an authenticated request
In the example above, we're using the BearerAuthorization method. As such, as we can make a request to our Hasura DDN
instance by including a header with the key-value of Authorization: Bearer <our-encoded-token>. For testing, you can
pass this value in the Hasura DDN console's header section.
