1

I am using firebase AUTH with cloud function the passes the JWT to the client, however there is no logic there of loading permissions since the user is not registerd yet, so he gets the x-hasura-default role. However after I created the user than in my hasura itself I want to add the user to the group manager tables (from the admin console, or from logic, doesn't matter) - so now he should have the role 'manager'. Now when refresh his page, there should be logic that queries the table of managers and loads the manager-role. However this logic of loading the permissions from this table is done when I already received the signed JWT with only the default-role, so the only option I have is to pass the manager role in x-hasura-role in the header of the request, however this is insecure since it is not part of the JWT and it can be altered by smart user.

Is there anything I miss here about the process? or is there another way of doing this?

Alon Goldberg
  • 11
  • 1
  • You need to find a way to communicate to Firebase in the frontend that it needs to refresh its token. https://stackoverflow.com/a/38233818/4717424 Maybe a subscription looking at a field in the DB? – Arjun Yelamanchili Oct 04 '22 at 18:47
  • To be honest I believe it's a bit overkill, hasura docs doesn't mention something like this anywhere. I think that I will just do web hook that in every request check the permission which is a bit strange since according to the docs It's either web hooks either JWT not both... – Alon Goldberg Oct 04 '22 at 18:51
  • You can only have one enabled at a time and ideally you stick with the JWT mode. I am not sure how your business flow works but basically you need a way to refresh your token when the role has changed. Or something such as instructing the user to login and logout if the permissions aren't what they expect. – Arjun Yelamanchili Oct 04 '22 at 19:13
  • Ok, I will look for something like this, thank you – Alon Goldberg Oct 04 '22 at 20:33

0 Answers0