Skip to content

Releases: nhost/hasura-auth

Release 0.2.0

03 Feb 14:08
@plmercereau plmercereau
v0.2.0
c75dfea
Compare
Choose a tag to compare
Release 0.2.0

0.2.0 (2022-02-03)

What's new

Custom JWT claims

Hasura comes with a powerful authorisation system. Hasura Auth is already configured to add x-hasura-user-id, x-hasura-allowed-roles, and x-hasura-user-isAnonymous to the JSON Web Tokens it generates.

This release introduces the ability to define custom claims to add to the JWT, so they can be used by Hasura to determine the permissions of the received GraphQL operation.

Each custom claim is defined by a pair of a key and a value:

  • The key determines the name of the claim, prefixed by x-hasura. For instance, organisation-idwill become x-hasura-organisation-id.
  • The value is a representation of the path to look at to determine the value of the claim. For instance profile.organisation.id will look for the user.profile Hasura relationship, and the profile.organisation Hasura relationship. Array values are transformed into Postgres syntax so Hasura can interpret them. See the official Hasura documentation to understand the session variables format.
AUTH_JWT_CUSTOM_CLAIMS={"organisation-id":"profile.organisation.id", "project-ids":"profile.contributesTo.project.id"}

Will automatically generate and fetch the following GraphQL query:

{
  user(id: "<user-id>") {
    profile {
      organisation {
        id
      }
      contributesTo {
        project {
          id
        }
      }
    }
  }
}

It will then use the same expressions e.g. profile.contributesTo.project.id to evaluate the result with JSONata, and possibly transform arrays into Hasura-readable, PostgreSQL arrays.Finally, it adds the custom claims to the JWT in the https://hasura.io/jwt/claims namespace:

{
  "https://hasura.io/jwt/claims": {
    "x-hasura-organisation-id": "8bdc4f57-7d64-4146-a663-6bcb05ea2ac1",
    "x-hasura-project-ids": "{\"3af1b33f-fd0f-425e-92e2-0db09c8b2e29\",\"979cb94c-d873-4d5b-8ee0-74527428f58f\"}",
    "x-hasura-allowed-roles": [ "me", "user" ],
    "x-hasura-default-role": "user",
    "x-hasura-user-id": "121bbea4-908e-4540-ac5d-52c7f6f93bec",
    "x-hasura-user-isAnonymous": "false"
  }
  "sub": "f8776768-4bbd-46f8-bae1-3c40da4a89ff",
  "iss": "hasura-auth",
  "iat": 1643040189,
  "exp": 1643041089
}

metadata user field

A basic JSONB column in the auth.users table, that is passed on as an option on registration:

{
  "email": "[email protected]",
  "passord": "12345678",
  "options": {
    "metadata": {
      "first_name": "Bob"
    }
  }
}

Remote custom email templates

When running Hasura Auth in its own infrastructure, it is possible to mount a volume with custom email-templates directory. However, in some cases, we may want to fetch templates from an external HTTP endpoint. Hence the introduction of a new AUTH_EMAIL_TEMPLATE_FETCH_URL environment variable:

AUTH_EMAIL_TEMPLATE_FETCH_URL=https://github.com/nhost/nhost/tree/custom-email-templates-example/examples/custom-email-templates

In the above example, on every email creation, the server will use this URL to fetch its templates, depending on the locale, email type and field.

For instance, the template for english verification email body will the fetched in https://raw.githubusercontent.com/nhost/nhost/custom-email-templates-example/examples/custom-email-templates/en/email-verify/body.html.

See the example in the main nhost/nhost repository.

The context variables in email templates have been simplified: the ${link} variable contains the entire redirection url the recipient needs to follow.

Changelog

Bug Fixes

  • allow redirect urls in Oauth that starts with the one defined in the server (c00bff8)
  • email-templates: fallback to the default template when the requested template doesn't exist (6a70c10)
  • email-templates: use the locale given as an option, then the existing user locale, then default (31d4a89)
  • metadata: show column values when the column name is the same as the graphql field name (a595941), closes #76
  • passwordless: don't send passwordless email when the user is disabled (3ec9c76)
  • remove email-templates endpoint (5c6dbf5), closes #75

Features

  • custom claims (01c0207), closes #49
  • implement remote email templates with AUTH_EMAIL_TEMPLATE_FETCH_URL (2458651)
  • simplify email templates context (b94cdf2), closes #64
  • use array custom JWT claims (53a286a)

BREAKING CHANGES

  • deactivate the /email-templates endpoint
Loading

Release 0.1.0

18 Jan 21:18
@plmercereau plmercereau
v0.1.0
e991f00
Compare
Choose a tag to compare
Release 0.1.0

0.1.0 (2022-01-18)

Bug Fixes

  • better error message for redirectTo (#59) (0b76425)
  • everything (da8c954)
  • keep .env for dev in repo and updated hasura version to m1 supported image (#60) (394d4ae)
  • password: validate password on change (#58) (994af31)
  • user: fix user schemas (#52) (c7eb721)

Features

  • emails: translate email templates to french (#63) (109695f)

Performance Improvements

  • reduce docker image from 477MB to 176MB (5f4d2b2)
Loading

v0.0.1-canary.0

23 Jun 13:43
@elitan elitan
v0.0.1-canary.0
0aa0a6d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.0.1-canary.0 Pre-release
Pre-release

image

Loading