Safe Haskell	Safe-Inferred
Language	Haskell2010

Hasura.Server.Auth

Synopsis

class Monad m => UserAuthentication m where
- resolveUserInfo :: Logger Hasura -> Manager -> [Header] -> AuthMode -> Maybe ReqsText -> m (Either QErr (UserInfo, Maybe UTCTime, [Header], ExtraUserInfo))
data AdminSecretHash
unsafeMkAdminSecretHash :: Digest SHA512 -> AdminSecretHash
hashAdminSecret :: Text -> AdminSecretHash
data AuthMode
- = AMNoAuth
- | AMAdminSecret !(HashSet AdminSecretHash) !(Maybe RoleName)
- | AMAdminSecretAndHook !(HashSet AdminSecretHash) !AuthHook
- | AMAdminSecretAndJWT !(HashSet AdminSecretHash) ![JWTCtx] !(Maybe RoleName)
compareAuthMode :: AuthMode -> AuthMode -> IO Bool
setupAuthMode :: (MonadError Text m, MonadIO m, MonadBaseControl IO m) => HashSet AdminSecretHash -> Maybe AuthHook -> [JWTConfig] -> Maybe RoleName -> Logger Hasura -> Manager -> m AuthMode
mkJwtCtx :: (MonadIO m, MonadBaseControl IO m, MonadError Text m) => JWTConfig -> Logger Hasura -> Manager -> m JWTCtx
updateJwkCtx :: forall m. (MonadIO m, MonadBaseControl IO m) => AuthMode -> Manager -> Logger Hasura -> m ()
updateJwkFromUrl :: forall m. (MonadIO m, MonadBaseControl IO m) => JWTCtx -> Manager -> Logger Hasura -> m ()
getUserInfoWithExpTime :: forall m. (MonadIO m, MonadBaseControl IO m, MonadError QErr m) => Logger Hasura -> Manager -> [Header] -> AuthMode -> Maybe ReqsText -> m (UserInfo, Maybe UTCTime, [Header])
getUserInfoWithExpTime_ :: forall m mgr logger. (MonadIO m, MonadError QErr m) => (logger -> mgr -> AuthHook -> [Header] -> Maybe ReqsText -> m (UserInfo, Maybe UTCTime, [Header])) -> ([JWTCtx] -> [Header] -> Maybe RoleName -> m (UserInfo, Maybe UTCTime, [Header], Maybe JWTCtx)) -> logger -> mgr -> [Header] -> AuthMode -> Maybe ReqsText -> m (UserInfo, Maybe UTCTime, [Header])

Documentation

class Monad m => UserAuthentication m where Source #

Typeclass representing the UserInfo authorization and resolving effect

Methods

resolveUserInfo Source #

Arguments

:: Logger Hasura
-> Manager
-> [Header]	request headers
-> AuthMode
-> Maybe ReqsText
-> m (Either QErr (UserInfo, Maybe UTCTime, [Header], ExtraUserInfo))

Instances

Instances details

UserAuthentication AppM Source #
Instance details Defined in Hasura.App Methods resolveUserInfo :: Logger Hasura -> Manager -> [Header] -> AuthMode -> Maybe ReqsText -> AppM (Either QErr (UserInfo, Maybe UTCTime, [Header], ExtraUserInfo)) Source #

data AdminSecretHash Source #

The hashed admin password. hashAdminSecret is our public interface for constructing the secret.

To prevent misuse and leaking we keep this opaque and don't provide instances that could leak information. Likewise for AuthMode.

Although this exists only in memory we store only a hash of the admin secret primarily in order to:

prevent theoretical timing attacks from a naive == check
prevent misuse or inadvertent leaking of the secret

Instances

Instances details

Show AdminSecretHash Source #
Instance details Defined in Hasura.Server.Auth Methods showsPrec :: Int -> AdminSecretHash -> ShowS # show :: AdminSecretHash -> String # showList :: [AdminSecretHash] -> ShowS #
Eq AdminSecretHash Source #
Instance details Defined in Hasura.Server.Auth Methods (==) :: AdminSecretHash -> AdminSecretHash -> Bool # (/=) :: AdminSecretHash -> AdminSecretHash -> Bool #
Ord AdminSecretHash Source #
Instance details Defined in Hasura.Server.Auth Methods compare :: AdminSecretHash -> AdminSecretHash -> Ordering # (<) :: AdminSecretHash -> AdminSecretHash -> Bool # (<=) :: AdminSecretHash -> AdminSecretHash -> Bool # (>) :: AdminSecretHash -> AdminSecretHash -> Bool # (>=) :: AdminSecretHash -> AdminSecretHash -> Bool # max :: AdminSecretHash -> AdminSecretHash -> AdminSecretHash # min :: AdminSecretHash -> AdminSecretHash -> AdminSecretHash #
FromEnv AdminSecretHash Source #
Instance details Defined in Hasura.Server.Init.Env Methods fromEnv :: String -> Either String AdminSecretHash Source #
Hashable AdminSecretHash Source #
Instance details Defined in Hasura.Server.Auth Methods hashWithSalt :: Int -> AdminSecretHash -> Int Source # hash :: AdminSecretHash -> Int Source #

unsafeMkAdminSecretHash :: Digest SHA512 -> AdminSecretHash Source #

hashAdminSecret :: Text -> AdminSecretHash Source #

data AuthMode Source #

The methods we'll use to derive roles for authenticating requests.

Maybe RoleName below is the optionally-defined role for the unauthenticated (anonymous) user.

See: https://hasura.io/docs/latest/graphql/core/auth/authentication/unauthenticated-access.html

Constructors

AMNoAuth
AMAdminSecret !(HashSet AdminSecretHash) !(Maybe RoleName)
AMAdminSecretAndHook !(HashSet AdminSecretHash) !AuthHook
AMAdminSecretAndJWT !(HashSet AdminSecretHash) ![JWTCtx] !(Maybe RoleName)

Instances

Instances details

Show AuthMode Source #
Instance details Defined in Hasura.Server.Auth Methods showsPrec :: Int -> AuthMode -> ShowS # show :: AuthMode -> String # showList :: [AuthMode] -> ShowS #
Eq AuthMode Source #
Instance details Defined in Hasura.Server.Auth Methods (==) :: AuthMode -> AuthMode -> Bool # (/=) :: AuthMode -> AuthMode -> Bool #

compareAuthMode :: AuthMode -> AuthMode -> IO Bool Source #

In case JWT is used as an authentication mode, the JWKs are stored inside JWTCtx as an IORef. IORef has pointer equality, so we need to compare the values inside the IORef to check if the JWTCtx is same.

setupAuthMode :: (MonadError Text m, MonadIO m, MonadBaseControl IO m) => HashSet AdminSecretHash -> Maybe AuthHook -> [JWTConfig] -> Maybe RoleName -> Logger Hasura -> Manager -> m AuthMode Source #

Validate the user's requested authentication configuration, launching any required maintenance threads for JWT etc.

This must only be run once, on launch.

mkJwtCtx :: (MonadIO m, MonadBaseControl IO m, MonadError Text m) => JWTConfig -> Logger Hasura -> Manager -> m JWTCtx Source #

updateJwkCtx :: forall m. (MonadIO m, MonadBaseControl IO m) => AuthMode -> Manager -> Logger Hasura -> m () Source #

Update the JWK based on the expiry time specified in Expires header or Cache-Control header

updateJwkFromUrl :: forall m. (MonadIO m, MonadBaseControl IO m) => JWTCtx -> Manager -> Logger Hasura -> m () Source #

getUserInfoWithExpTime :: forall m. (MonadIO m, MonadBaseControl IO m, MonadError QErr m) => Logger Hasura -> Manager -> [Header] -> AuthMode -> Maybe ReqsText -> m (UserInfo, Maybe UTCTime, [Header]) Source #

Authenticate the request using the headers and the configured AuthMode.

getUserInfoWithExpTime_ Source #

Arguments

:: forall m mgr logger. (MonadIO m, MonadError QErr m)
=> (logger -> mgr -> AuthHook -> [Header] -> Maybe ReqsText -> m (UserInfo, Maybe UTCTime, [Header]))	mock `userInfoFromAuthHook`
-> ([JWTCtx] -> [Header] -> Maybe RoleName -> m (UserInfo, Maybe UTCTime, [Header], Maybe JWTCtx))	mock `processJwt`
-> logger
-> mgr
-> [Header]
-> AuthMode
-> Maybe ReqsText
-> m (UserInfo, Maybe UTCTime, [Header])