0

Hasura suggested developers to use serverless functions as event triggers. The way how event triggers work is, when an event is emitted, a specific serverless function will be called. However, even though Hasura deals with authentication & authorisation, serverless functions do not.

My solutions are:

  1. Validate the user from serverless functions (using the given session variables sent from Hasura).
  2. Restrict the access to serverless functions (only Hasura API can access). Something like cors.

Any thoughts of which one is the best? I personally think that the second one is the best, but don't really know it can be done.

Kai Sheng Tung
  • 400
  • 1
  • 10

2 Answers2

0

I would recommend a combination of:

  1. Set a custom header on the trigger in Hasura enter image description here
  2. Restrict the Serverless function to only accept from Hasura (though I am not certain the domain/ip won't change and haven't tested this)

You can check for the presence of the supersecret header and check the value as a means of auth.See also the IP which is my Hasura cloud project's ip address. Here I am using Pipedream as endpoint to test.

enter image description here

O. Mills
  • 216
  • 2
  • 10
  • in case you are using aws , then you can use [aws apigateway API key](https://awscdk.io/packages/@aws-cdk/aws-apigateway@1.25.0/#/./aws-apigateway-readme) with `X-API-Key` as header from hasura as follows `[{"name": "X-API-Key","value": "X-API-Key","type": "env"}]` – Yogeshwar Tanwar Sep 27 '21 at 22:10
0

If I understood you correctly, your solutions solve different problems.

Validate the user from serverless functions (using the given session variables sent from Hasura).

If you want to verify the identity of user who caused the event to trigger, you might be better off with using actions. You can secure actions easily in console.

Restrict the access to serverless functions (only Hasura API can access). Something like cors.

If you want to restrict access to the serverless functions you have several options, depending on your provider. You options include:

  • add some special headers and verify the in each function like in this answer

    • this is the least complex solution but rather tedious. At least use some kind of middleware to avoid code repetition

  • hiding functions behind a proxy, which will perform the validation

  • if you can, specify the list of allowed hosts (where your hasura instance is running) for your functions

Jakub Orsula
  • 75
  • 2
  • 10