| Safe Haskell | None |
|---|---|
| Language | Haskell2010 |
Hasura.Server.Auth
Synopsis
- class Monad m => UserAuthentication m where
- newtype AdminSecretHash = AdminSecretHash (Digest SHA512)
- unsafeMkAdminSecretHash :: Digest SHA512 -> AdminSecretHash
- hashAdminSecret :: Text -> AdminSecretHash
- data AuthMode
- = AMNoAuth
- | AMAdminSecret !(HashSet AdminSecretHash) !(Maybe RoleName)
- | AMAdminSecretAndHook !(HashSet AdminSecretHash) !AuthHook
- | AMAdminSecretAndJWT !(HashSet AdminSecretHash) ![JWTCtx] !(Maybe RoleName)
- setupAuthMode :: (ForkableMonadIO m, HasReporter m) => HashSet AdminSecretHash -> Maybe AuthHook -> [JWTConfig] -> Maybe RoleName -> Manager -> Logger Hasura -> ExceptT Text (ManagedT m) AuthMode
- getUserInfoWithExpTime :: forall m. (MonadIO m, MonadBaseControl IO m, MonadError QErr m, MonadTrace m) => Logger Hasura -> Manager -> [Header] -> AuthMode -> Maybe ReqsText -> m (UserInfo, Maybe UTCTime, [Header])
- getUserInfoWithExpTime_ :: forall m mgr logger. (MonadIO m, MonadError QErr m) => (logger -> mgr -> AuthHook -> [Header] -> Maybe ReqsText -> m (UserInfo, Maybe UTCTime, [Header])) -> ([JWTCtx] -> [Header] -> Maybe RoleName -> m (UserInfo, Maybe UTCTime, [Header])) -> logger -> mgr -> [Header] -> AuthMode -> Maybe ReqsText -> m (UserInfo, Maybe UTCTime, [Header])
Documentation
class Monad m => UserAuthentication m where Source #
Typeclass representing the UserInfo authorization and resolving effect
Methods
Instances
| (MonadIO m, MonadBaseControl IO m) => UserAuthentication (TraceT (PGMetadataStorageAppT m)) Source # | |
newtype AdminSecretHash Source #
The hashed admin password. hashAdminSecret is our public interface for
constructing the secret.
To prevent misuse and leaking we keep this opaque and don't provide
instances that could leak information. Likewise for AuthMode.
Although this exists only in memory we store only a hash of the admin secret primarily in order to:
- prevent theoretical timing attacks from a naive
==check - prevent misuse or inadvertent leaking of the secret
Constructors
| AdminSecretHash (Digest SHA512) |
Instances
| Eq AdminSecretHash Source # | |
Defined in Hasura.Server.Auth Methods (==) :: AdminSecretHash -> AdminSecretHash -> Bool # (/=) :: AdminSecretHash -> AdminSecretHash -> Bool # | |
| Ord AdminSecretHash Source # | |
Defined in Hasura.Server.Auth Methods compare :: AdminSecretHash -> AdminSecretHash -> Ordering # (<) :: AdminSecretHash -> AdminSecretHash -> Bool # (<=) :: AdminSecretHash -> AdminSecretHash -> Bool # (>) :: AdminSecretHash -> AdminSecretHash -> Bool # (>=) :: AdminSecretHash -> AdminSecretHash -> Bool # max :: AdminSecretHash -> AdminSecretHash -> AdminSecretHash # min :: AdminSecretHash -> AdminSecretHash -> AdminSecretHash # | |
| Show AdminSecretHash Source # | |
Defined in Hasura.Server.Auth Methods showsPrec :: Int -> AdminSecretHash -> ShowS # show :: AdminSecretHash -> String # showList :: [AdminSecretHash] -> ShowS # | |
| Hashable AdminSecretHash Source # | |
Defined in Hasura.Server.Auth | |
| FromEnv AdminSecretHash Source # | |
Defined in Hasura.Server.Init.Env | |
unsafeMkAdminSecretHash :: Digest SHA512 -> AdminSecretHash Source #
hashAdminSecret :: Text -> AdminSecretHash Source #
The methods we'll use to derive roles for authenticating requests.
Maybe RoleName below is the optionally-defined role for the
unauthenticated (anonymous) user.
See: https://hasura.io/docs/latest/graphql/core/auth/authentication/unauthenticated-access.html
Constructors
| AMNoAuth | |
| AMAdminSecret !(HashSet AdminSecretHash) !(Maybe RoleName) | |
| AMAdminSecretAndHook !(HashSet AdminSecretHash) !AuthHook | |
| AMAdminSecretAndJWT !(HashSet AdminSecretHash) ![JWTCtx] !(Maybe RoleName) |
Instances
setupAuthMode :: (ForkableMonadIO m, HasReporter m) => HashSet AdminSecretHash -> Maybe AuthHook -> [JWTConfig] -> Maybe RoleName -> Manager -> Logger Hasura -> ExceptT Text (ManagedT m) AuthMode Source #
Validate the user's requested authentication configuration, launching any required maintenance threads for JWT etc.
This must only be run once, on launch.
getUserInfoWithExpTime :: forall m. (MonadIO m, MonadBaseControl IO m, MonadError QErr m, MonadTrace m) => Logger Hasura -> Manager -> [Header] -> AuthMode -> Maybe ReqsText -> m (UserInfo, Maybe UTCTime, [Header]) Source #
Authenticate the request using the headers and the configured AuthMode.
getUserInfoWithExpTime_ Source #
Arguments
| :: forall m mgr logger. (MonadIO m, MonadError QErr m) | |
| => (logger -> mgr -> AuthHook -> [Header] -> Maybe ReqsText -> m (UserInfo, Maybe UTCTime, [Header])) | mock |
| -> ([JWTCtx] -> [Header] -> Maybe RoleName -> m (UserInfo, Maybe UTCTime, [Header])) | mock |
| -> logger | |
| -> mgr | |
| -> [Header] | |
| -> AuthMode | |
| -> Maybe ReqsText | |
| -> m (UserInfo, Maybe UTCTime, [Header]) |