| Copyright | Hasura |
|---|---|
| Safe Haskell | Safe-Inferred |
| Language | Haskell2010 |
Hasura.Server.Auth.JWT
Description
This module implements the bulk of Hasura's JWT capabilities and interactions.
Its main point of non-testing invocation is Auth.
It exports both processJwt and processJwt_ with processJwt_ being the
majority of the implementation with the JWT Token processing function
passed in as an argument in order to enable mocking in test-code.
In processJwt_, prior to validation of the token, first the token locations
and issuers are reconciled. Locations are either specified as auth or
cookie (with cookie name) or assumed to be auth. Issuers can be omitted or
specified, where an omitted configured issuer can match any issuer specified by
a request.
If none match, then this is considered an no-auth request, if one matches, then normal token auth is performed, and if multiple match, then this is considered an ambiguity error.
Synopsis
- data RawJWT
- data JWTClaimsFormat
- data JWTHeader
- defaultClaimsFormat :: JWTClaimsFormat
- allowedRolesClaim :: SessionVariable
- defaultRoleClaim :: SessionVariable
- defaultClaimsNamespace :: Text
- data JWTCustomClaimsMapValueG v
- type JWTCustomClaimsMapDefaultRole = JWTCustomClaimsMapValueG RoleName
- type JWTCustomClaimsMapAllowedRoles = JWTCustomClaimsMapValueG [RoleName]
- type JWTCustomClaimsMapValue = JWTCustomClaimsMapValueG SessionVariableValue
- data JWTCustomClaimsMap = JWTCustomClaimsMap {
- jcmDefaultRole :: !JWTCustomClaimsMapDefaultRole
- jcmAllowedRoles :: !JWTCustomClaimsMapAllowedRoles
- jcmCustomClaims :: !CustomClaimsMap
- data JWTNamespace
- data JWTClaims
- newtype StringOrURI = StringOrURI {}
- data JWTConfig = JWTConfig {
- jcKeyOrUrl :: !(Either JWK URI)
- jcAudience :: !(Maybe Audience)
- jcIssuer :: !(Maybe StringOrURI)
- jcClaims :: !JWTClaims
- jcAllowedSkew :: !(Maybe NominalDiffTime)
- jcHeader :: !(Maybe JWTHeader)
- data JWTCtx = JWTCtx {
- jcxUrl :: !(Maybe URI)
- jcxKeyConfig :: !(IORef (JWKSet, Maybe UTCTime))
- jcxAudience :: !(Maybe Audience)
- jcxIssuer :: !(Maybe StringOrURI)
- jcxClaims :: !JWTClaims
- jcxAllowedSkew :: !(Maybe NominalDiffTime)
- jcxHeader :: !JWTHeader
- fetchAndUpdateJWKs :: (MonadIO m, MonadBaseControl IO m) => Logger Hasura -> Manager -> URI -> IORef (JWKSet, Maybe UTCTime) -> m ()
- fetchJwk :: (MonadIO m, MonadBaseControl IO m, MonadError JwkFetchError m) => Logger Hasura -> Manager -> URI -> m (JWKSet, ResponseHeaders)
- determineJwkExpiryLifetime :: forall m. (MonadIO m, MonadError JwkFetchError m) => m UTCTime -> Logger Hasura -> ResponseHeaders -> m (Maybe UTCTime)
- type ClaimsMap = HashMap SessionVariable Value
- tokenIssuer :: RawJWT -> Maybe StringOrURI
- processJwt :: (MonadIO m, MonadError QErr m) => [JWTCtx] -> RequestHeaders -> Maybe RoleName -> m (UserInfo, Maybe UTCTime, [Header], Maybe JWTCtx)
- processJwt_ :: MonadError QErr m => (JWTCtx -> ByteString -> m (ClaimsMap, Maybe UTCTime)) -> (RawJWT -> Maybe StringOrURI) -> (JWTCtx -> JWTHeader) -> [JWTCtx] -> RequestHeaders -> Maybe RoleName -> m (UserInfo, Maybe UTCTime, [Header], Maybe JWTCtx)
- parseClaimsMap :: MonadError QErr m => ClaimsSet -> JWTClaims -> m ClaimsMap
Documentation
data JWTClaimsFormat Source #
Constructors
| JCFJson | |
| JCFStringifiedJson |
Instances
Constructors
| JHAuthorization | |
| JHCookie Text |
Instances
| FromJSON JWTHeader Source # | |
| ToJSON JWTHeader Source # | |
| Generic JWTHeader Source # | |
| Show JWTHeader Source # | |
| Eq JWTHeader Source # | |
| Hashable JWTHeader Source # | |
| type Rep JWTHeader Source # | |
Defined in Hasura.Server.Auth.JWT type Rep JWTHeader = D1 ('MetaData "JWTHeader" "Hasura.Server.Auth.JWT" "graphql-engine-1.0.0-inplace" 'False) (C1 ('MetaCons "JHAuthorization" 'PrefixI 'False) (U1 :: Type -> Type) :+: C1 ('MetaCons "JHCookie" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text))) | |
data JWTCustomClaimsMapValueG v Source #
JWTCustomClaimsMapValueG is used to represent a single value of
the JWTCustomClaimsMap. A JWTCustomClaimsMapValueG can either be
an JSON object or the literal value of the claim. If the value is an
JSON object, then it should contain a key path, which is the JSON path
to the claim value in the JWT token. There's also an option to specify a
default value in the map via the 'default' key, which will be used
when a peek at the JWT token using the JSON path fails (key does not exist).
Constructors
| JWTCustomClaimsMapJSONPath !JSONPath !(Maybe v) | JSONPath to the key in the claims map, in case the key doesn't exist in the claims map then the default value will be used (if provided) |
| JWTCustomClaimsMapStatic !v |
Instances
data JWTCustomClaimsMap Source #
JWTClaimsMap is an option to provide a custom JWT claims map.
The JWTClaimsMap should be specified in the HASURA_GRAPHQL_JWT_SECRET
in the claims_map. The JWTClaimsMap, if specified, requires two
mandatory fields, namely, `x-hasura-allowed-roles` and the
`x-hasura-default-role`, other claims may also be provided in the claims map.
Constructors
| JWTCustomClaimsMap | |
Fields
| |
Instances
| FromJSON JWTCustomClaimsMap Source # | |
Defined in Hasura.Server.Auth.JWT Methods parseJSON :: Value -> Parser JWTCustomClaimsMap Source # parseJSONList :: Value -> Parser [JWTCustomClaimsMap] Source # | |
| ToJSON JWTCustomClaimsMap Source # | |
Defined in Hasura.Server.Auth.JWT Methods toJSON :: JWTCustomClaimsMap -> Value Source # toEncoding :: JWTCustomClaimsMap -> Encoding Source # toJSONList :: [JWTCustomClaimsMap] -> Value Source # toEncodingList :: [JWTCustomClaimsMap] -> Encoding Source # | |
| Show JWTCustomClaimsMap Source # | |
Defined in Hasura.Server.Auth.JWT Methods showsPrec :: Int -> JWTCustomClaimsMap -> ShowS # show :: JWTCustomClaimsMap -> String # showList :: [JWTCustomClaimsMap] -> ShowS # | |
| Eq JWTCustomClaimsMap Source # | |
Defined in Hasura.Server.Auth.JWT Methods (==) :: JWTCustomClaimsMap -> JWTCustomClaimsMap -> Bool # (/=) :: JWTCustomClaimsMap -> JWTCustomClaimsMap -> Bool # | |
data JWTNamespace Source #
JWTNamespace is used to locate the claims map within the JWT token. The location can be either provided via a JSON path or the name of the key in the JWT token.
Constructors
| ClaimNsPath JSONPath | |
| ClaimNs Text |
Instances
| ToJSON JWTNamespace Source # | |
Defined in Hasura.Server.Auth.JWT Methods toJSON :: JWTNamespace -> Value Source # toEncoding :: JWTNamespace -> Encoding Source # toJSONList :: [JWTNamespace] -> Value Source # toEncodingList :: [JWTNamespace] -> Encoding Source # | |
| Show JWTNamespace Source # | |
Defined in Hasura.Server.Auth.JWT Methods showsPrec :: Int -> JWTNamespace -> ShowS # show :: JWTNamespace -> String # showList :: [JWTNamespace] -> ShowS # | |
| Eq JWTNamespace Source # | |
Defined in Hasura.Server.Auth.JWT | |
Constructors
| JCNamespace !JWTNamespace !JWTClaimsFormat | |
| JCMap !JWTCustomClaimsMap |
newtype StringOrURI Source #
Hashable Wrapper for constructing a HashMap of JWTConfigs
Constructors
| StringOrURI | |
Fields | |
Instances
The JWT configuration we got from the user.
Constructors
| JWTConfig | |
Fields
| |
The validated runtime JWT configuration returned by mkJwtCtx in setupAuthMode.
Constructors
| JWTCtx | |
Fields
| |
fetchAndUpdateJWKs :: (MonadIO m, MonadBaseControl IO m) => Logger Hasura -> Manager -> URI -> IORef (JWKSet, Maybe UTCTime) -> m () Source #
An action that fetches the JWKs and updates the expiry time and JWKs in the IORef
fetchJwk :: (MonadIO m, MonadBaseControl IO m, MonadError JwkFetchError m) => Logger Hasura -> Manager -> URI -> m (JWKSet, ResponseHeaders) Source #
Given a JWK url, fetch JWK from it
determineJwkExpiryLifetime :: forall m. (MonadIO m, MonadError JwkFetchError m) => m UTCTime -> Logger Hasura -> ResponseHeaders -> m (Maybe UTCTime) Source #
First check for Cache-Control header, if not found, look for Expires header
tokenIssuer :: RawJWT -> Maybe StringOrURI Source #
Extract the issuer from a bearer tokena _without_ verifying it.
processJwt :: (MonadIO m, MonadError QErr m) => [JWTCtx] -> RequestHeaders -> Maybe RoleName -> m (UserInfo, Maybe UTCTime, [Header], Maybe JWTCtx) Source #
Process the request headers to verify the JWT and extract UserInfo from it From the JWT config, we check which header to expect, it can be the Authorization or Cookie header
If no Authorization/Cookie header was passed, we will fall back to the unauthenticated user role [1], if one was configured at server start.
When no 'x-hasura-user-role' is specified in the request, the mandatory 'x-hasura-default-role' [2] from the JWT claims will be used.
Arguments
| :: MonadError QErr m | |
| => ClaimsSet | Unregistered JWT claims |
| -> JWTClaims | Claims config |
| -> m ClaimsMap | Hasura claims and other claims |
parse the claims map from the JWT token or custom claims from the JWT config