Skip to main content
Version: v3.x

Enabling Admin and Unauthenticated Requests

Each Hasura DDN project ships with an admin role by default which has access to all Models and Types in your supergraph. On the other hand, there's no concept for unauthenticated access to a supergraph. Below, we'll show you how to achieve both when using webhooks and Hasura DDN.

Making admin-level requests

To make an admin-level request, after updating up your AuthConfig, shape your webhook's response as follows:

Example response from your webhook to Hasura DDN
HTTP/1.1 200 OK
Content-Type: application/json

{
    "X-Hasura-Role": "admin",
}

Any request that triggers this response from your webhook will be treated as an admin request.

Your JWT claims should be unique for each role

When designing or implementing an auth server, it is crucial to generate JWTs with different claims for each user role so that each token enables the appropriate data access permissions for that user.

Making unauthenticated requests

To make an unauthenticated request (i.e., one that is publicly accessible without any authentication), you'll need to do a few things.

Step 1. Create the claims

In your authentication server, you can provide a response that identifies the user's role as public. This can be any name you wish, so long as it's not a role (such as admin) that already exists.

Example response from your webhook to Hasura DDN
HTTP/1.1 200 OK
Content-Type: application/json

{
    "X-Hasura-Role": "public",
}

Step 2. Update ModelPermissions

For whatever models you'd like to publicly expose, add a ModelPermissions rule for the public role.

Example ModelPermission for an Events Model
kind: ModelPermissions
version: v1
definition:
  modelName: Events
  permissions:
    - role: admin
      select:
        filter: null
    - role: public
      select:
        filter: null

Step 3. Update TypePermissions

Then, determine which types you'd like to publicly expose by updating TypePermissions. Hasura DDN gives you the ability to granularly determine which fields from each Model are available to each role.

Example TypePermissions for an Events Model
kind: TypePermissions
version: v1
definition:
  typeName: Events
  permissions:
    - role: admin
      output:
        allowedFields:
          - id
          - owner_id
          - created_at
          - updated_at
          - is_live
          - title
          - date
          - description
    - role: public
      output:
        allowedFields:
          - id
          - is_live
          - title
          - date
          - description

Step 4. Rebuild your supergraph

Once you've updated your metadata files, you can rebuild your supergraph and test it locally.

For example, from the root of your project, run:
ddn supergraph build local \
  --supergraph supergraph.yaml \
  --env-file .env

Step 5. Make an unauthenticated request

In basic examples, we're using the BearerAuthorization method. As such, as we can make a request to our Hasura DDN instance by including a header with the key-value of Authorization: Bearer <our-encoded-token-with-the-public-claims>. For testing, you can pass this value in the Hasura DDN console's header section.

© 2024 Hasura Inc. All rights reserved
Loading...