Public Access

Introduction

In this recipe, you'll learn how to configure permissions to allow for unauthenticated access to data in your supergraph. This can be done by creating a role and setting the filter field to null.

A word of caution

Any requests made to your supergraph with the configuration demonstrated below will have unauthenticated access to whatever resources you allow. Use with caution!

Prerequisites

Before continuing, ensure you have:

• A local Hasura DDN project.
• Either JWT or Webhook mode enabled in your AuthConfig.

Recipe

Step 1. Create the claims

In your authentication server, you can provide a claims map that identifies the default role as public. This can be any name you wish, so long as it's not a role (such as admin) that already exists.

E.g., a JWT claims configuration in an authentication service

  "claims.jwt.hasura.io": {
    "x-hasura-default-role": "public",
    "x-hasura-allowed-roles": ["public"],
  }

Step 2. Update ModelPermissions

For whatever models you'd like to publicly expose, add a ModelPermissions rule for the public role.

Example ModelPermission for an Events Model

kind: ModelPermissions
version: v1
definition:
  modelName: Events
  permissions:
    - role: admin
      select:
        filter: null
    - role: public
      select:
        filter: null

Step 3. Update TypePermissions

Then, determine which types you'd like to publicly expose by updating TypePermissions. Hasura DDN gives you the ability to granularly determine which fields from each Model are available to each role.

Example TypePermissions for an Events Model

kind: TypePermissions
version: v1
definition:
  typeName: Events
  permissions:
    - role: admin
      output:
        allowedFields:
          - id
          - owner_id
          - created_at
          - updated_at
          - is_live
          - title
          - date
          - description
    - role: public
      output:
        allowedFields:
          - id
          - is_live
          - title
          - date
          - description

Step 4. Test your permissions

Create a new build of your supergraph:

ddn supergraph build local

Then, in a request, pass a header with the role you identified earlier according to your authentication configuration. You should see a schema limited to whatever ModelPermissions you defined for your new role and — when executing a query — only see data meeting the filtering rule you included in the first step.

Wrapping up

In this guide, you learned how to expose data in your supergraph to users without any authentication. This is valuable for any public-facing resources clients may need to access.

As you continue building out your supergraph, keep in mind that authentication and authorization are crucial components. Always validate your configuration and regularly test your setup to ensure it functions as expected across different roles and environments.

Learn more about authorization and authentication

• Authorization with Hasura DDN
• Permissions with Hasura DDN
• Authentication with Hasura DDN

Similar recipes

• Authorization recipes