How to implement custom authentication with hasura?

Question

I am working on a food delivery webapp. So there will be two types of users, 1. customer. 2. vendor. I can set custom permission on tables for two users in hasura console. Now how to implement the authentication setup where user can signup/login two the website with this two different roles. In auth0 or firebase we can't have that feature. So custom auth server is the only option. So my question here is - how to run the jwt script that we run in auth0 to pass those season variables.?

function (user, context, callback) {
const namespace = "https://hasura.io/jwt/claims";
context.idToken[namespace] = 
{ 
  'x-hasura-default-role': 'user',
  // do some custom logic to decide allowed roles
  'x-hasura-allowed-roles': ['user'],
  'x-hasura-user-id': user.user_id
};
callback(null, user, context);
}

And do I need to write this auth service as custom resolver and add it as remote schema? How do I run the database operation in the resolver?

score 0 · Answer 1 · edited Sep 06 '20 at 16:58

can I implement this auth-server as a remote schema or do I need to run a separate node server?

Yes, you can implement auth-server as a remote schema! You just have to ensure your remote schema can be accessed by an "anonymous" role, bypassing JWT mode that's applied to the rest of the authenticated gql endpoint.

It might be necessary sometimes to bypass Hasura’s authorization system (calling the configured webhook, or validating the JWT), for queries that are for a remote GraphQL server. For example, you have a remote GraphQL server which does authentication, i.e. signup and login, and you have added it as a remote schema. In this case, you would not want to perform Hasura’s authorization when the user is making a login/signup request.

Relevant documentation: https://hasura.io/docs/1.0/graphql/core/remote-schemas/schema-auth.html#bypassing-hasura-s-authorization-system-for-remote-schema-requests

And: https://hasura.io/docs/1.0/graphql/manual/auth/authentication/unauthenticated-access.html.

If implementing your own auth server, there are two options or "modes" (Webhooks or JWT) as detailed here: https://hasura.io/docs/1.0/graphql/manual/auth/authentication/index.html. The diagrams are very helpful!

After setting one of the options up, Hasura will automatically authenticate your requests (before any query or mutation is ever run). You don't need to write a custom resolver and add it as a remote schema.

Hasura can be configured with environment variables (HASURA_GRAPHQL_AUTH_HOOK, HASURA_GRAPHQL_AUTH_HOOK_MODE or HASURA_GRAPHQL_JWT_SECRET) or flags when running the GraphQL engine (--auth-hook or --jwt-secret), and depending on what you choose you must fit the spec detailed in the docs (how the auth server should respond, or configure the token).

My question is , can I implement this auth-server as a remote schema or do I need to run a separate node server? — Sujoy Saha, Apr 05 '20 at 06:59
@SujoySaha updated above, short answer: yes you can! No separate server needed. — avimoondra, Apr 05 '20 at 16:31

How to implement custom authentication with hasura?

1 Answers1