How do I allow a role insert into a table (for signup), but after that deny further inserts for that user?

Question

That's my question. I am using Hasura, and defining 'user' permissions.

Users are of course allowed to modify their own information, and not allowed to insert new records into my users table.

But when they signup, they should be allowed to insert themselves. So how can I define this permission?

To make my scenario more clear: I have a React app, that uses an external OpenID provider. So a new user signs up there, and the provider returns a JWT to my app, containing a user I've never seen before. My app does not know that, it just uses the access token to send to the Hasura backend to retrieve further info about this user, using the 'user' role. But it uses a query which will automatically insert the user if not found.

score 0 · Answer 1 · answered Jun 05 '20 at 16:06

0

In the user table, for the user role, you need to add a permission with custom check. And the check should be user_id equals x-hasura-user-id.

{"id":{"_eq":"x-hasura-user-id"}}

answered Jun 05 '20 at 16:06

Leonardo Alves

1,876
1
16
19

But before the record for the new user is inserted there is no user id yet? – raarts Jun 05 '20 at 19:29
In that case the best would be to insert the user server side. You either use admin or a server side role – Leonardo Alves Jun 05 '20 at 22:19

rollingBalls · Answer 2 · 2020-06-07T13:53:08.377

For non-logged-in users, leverage the anonymous role by setting the permissions that make sense for your use case: https://hasura.io/docs/1.0/graphql/manual/auth/authorization/common-roles-auth-examples.html#anonymous-not-logged-in-users

Edit after the comment:

Ah, I see. When the user comes to your app, your app goes and retrieves some data that it expects every user should have (for example perhaps the user info store on the user table). But since it's a new user, this info is not there.

At this point, your React app knows that:

there's someone with a legitimately signed JWT cookie (use a library to verify the signature) and
there's no user info from the backend. Therefore, the React app shows a "Welcome new user, wait while we're setting up your account".

Then the React app makes a mutation to a signup Hasura action you'll prepare. Once that returns, you proceed as usually (redirect the user to their home page).

Sorry, I clarified my question a bit more after I read your and other answers. My app does not know that the user just signed up, so it will not indicate it has an anonymous role. Maybe I need to just return that the user does not exist, and then switch to the anonymous role to insert a record? Which would mean allowing the anonymous role unlimited insert permissions — raarts, Jun 06 '20 at 12:42

score 0 · Accepted Answer · answered Jan 07 '23 at 17:21

There's really not a safe way to allow sign-ups without involving a backend service. It is a very bad idea to allow anonymous inserts into your user table, even if you added a unique constraint against a user ID or email address.

If you have the option of using NextJS, see the Hasura example for configuring NextAuth. This works by configuring your app with a protected API route that uses your Hasura app's ADMIN_SECRET to insert new users who have authenticated with a third-party.

If NextJS isn't an option, Hasura's Auth0 example similarly uses a callback method to insert an authenticated user if they don't exist.

score -1 · Answer 4 · answered Jan 07 '23 at 09:31

-1

use hasura action handler instead. Inside your handler, do a check if the user already exists or not. If not then insert a new row.

answered Jan 07 '23 at 09:31

fardown

713
2
12
23

How do I allow a role insert into a table (for signup), but after that deny further inserts for that user?

4 Answers4