Unauthenticated / Public access¶
Table of contents
Introduction¶
It is a common requirement to have requests which are accessible to all users without the need for any authentication (logging in). For example, to display a public feed of events.
Once you have configured an admin secret, by default Hasura GraphQL engine will reject any unauthenticated request it receives.
You can configure Hasura GraphQL engine to allow access to unauthenticated users by defining a specific role which will be set for all unauthenticated requests. Once an unauthenticated role is configured, unauthenticated requests will not be rejected and instead the request will be made with the configured role.
This role can then be used to define the permissions for unauthenticated users as described in Authorization / Access control. A guide on setting up unauthenticated user permissions can be found here.
Risk of using session variables
It is recommended to not use session variables in the permissions of an unauthenticated role because the source of the session variables cannot be trusted. As session variables can be passed using request headers, a user can choose to send any values for them and it needs to be ensured that they can’t get access to sensitive data just by setting different values for their session variables.
Configuring unauthenticated / public access¶
An unauthenticated role can be configured for the following scenarios: no auth setup, webhook auth setup or JWT auth setup.
No auth setup¶
With no auth setup, every request is considered an unauthenticated request.
You can use the env variable HASURA_GRAPHQL_UNAUTHORIZED_ROLE
or the --unauthorized-role
flag to set a role
for unauthenticated (non-logged in) users. See GraphQL Engine server config reference for more details
on setting this flag/env var.
Webhooks¶
For webhook authentication, any request for which the webhook returns a 401 Unauthorized
response
is considered an unauthenticated request.
To allow unauthenticated access, the auth webhook should return a 200
status response with your unauthenticated role in the headers. For details on the webhook response, refer to this section.
JWT¶
For JWT authentication, any request which does not contain a JWT token is considered an unauthenticated request.
You can use the env variable HASURA_GRAPHQL_UNAUTHORIZED_ROLE
or the --unauthorized-role
flag to set a role
for unauthenticated (non-logged in) users. See GraphQL Engine server config reference for more details
on setting this flag/env var.
Additional Resources
Enterprise Grade Authorization - Watch Webinar.