The GraphQL API is protected by a permission system using roles. The permission system is based on JWT tokens. The user gets a JWT token upon login. This JWT token is being sent as a header with all GraphQL API requests to authenticate the user so correct permissions can be applied.
The JWT-token contains specific user information, such as user id. In the permission system in Hasura you can specify what a user is allowed to do based on ex the user id in the JWT-token and the data.
A comon use-case is to allow a user read something if
user_id in the database is equal to the user id (
x-hasura-user-id) in the JWT token.
By default, every user has the following session variables that can be used when creating permission rules:
x-hasura-user-id x-hasura-allowed-roles x-hasura-default-role
The default role for a user is
You can add more session variables (like
users.company_id) manually with custom user columns.
You handle permissions for a table in the Permissions tab.
Here is a popular approach for insert permission for logged in users. We'll break it down below the image.
namesince the other columns will be filled in with default values and we don't want users to override them.
user_idto be the value of
x-hasura-user-id(the user's id). This way, we make sure that the
user_idis securely set to the id of the user making the request.
Below follows a popular approach for select permission for logged in users. We'll break it down below the image.
user_id = x-hasura-user-id. In other words, users can only read their own data.
Update and Delete permissions usually follows the same rules as Select permissions.