REFETCH_TOKEN_EXPIRES
JWT_TOKEN_EXPIRES <-- add this

Both in minutes.

• implementing
• documenting

Hi @elitan,
Now this repo support AWS s3 or DigitalOcean space I think some self hosted s3 implementation like Minio.io also can useful.
Just take a look at this:
https://www.minio.io/

This is probably a question for Hasura, but I can't seem to find anything on the docs about it.

Is there a way of querying the other tables here? I'd like to set up a duplicate of the public database for a testing environment.

I assume it would be either a custom header or a different URL.

To make it work with Enterprise GitHub instances you need to pass in 3 additional parameters: authorizationURL, tokenURL, and userProfileURL to passport-github.

See https://github.com/jaredhanson/passport-github#enterprise-corporate-github

Attempt to Hasura > Data > Run SQL with db-user-uuid-init.sql fails with the following error:

SQL Execution Failed postgres-error : function public.set_current_timestamp_updated_at() does not exist

Looks like this trigger function is simply missing from the dump.

Hi Johan,
First of all many thanks for this very nice repo! I am actually considering using it instead of the scrappy attempt I did a few months ago (and another ongoing attempt in this monorepo).
Did you ever considered setting a JWKS endpoint, so Hasura could get its JWK public key from HBP? It would help centralise the keys into one service (HBP), and we could then even consider an automatic keys rotation. What do you think about that?
Best,
Pilou

@elitan Now Hasura support react-admin I think it can be useful if this backed-plus can support user management task (create user, role, reset users password, ...) thought a GUI admin panel.

What is your opinion?

I see this in Readme file:

Auth

/register
/activate-account
/sign-in
/refetch-token
/new-password

Can you explain how we can use these?

Please add some handy mutation for general task like this:
https://github.com/DevSpeak/hasura-simple-auth/blob/master/server.js

Hi man,
I think it's better to add nodemon from dependency to dev-dependency and add some start and dev script.

what is the flow for reseting password?
Every time I call new-password endpoint I have to send the user's secret_token that I first get from the user when logging/registering?
If that's the case, what is the purpose of it?

There's a deprecation notice on https://www.npmjs.com/package/boom -

This module has moved and is now available at @hapi/boom. Please update your dependencies as this version is no longer maintained an may contain bugs and security issues.

It looks like a case of changing all instances of boom to @hapi/boom, or has the API changed?

I'm looking for a basic example of a file upload from react to hasura backend (minio).

I assume the /fn/get-download-url/* endpoint here is intended to provide an image url that can be used in an html <img> tag.

I have managed to download the image blob with the /file/* endpoint and convert it to a data url, but it would be nicer to get a simple URL!

Any ideas why I am not getting the token specified here?

when do you clear the refresh tokens in the db? Shouldn't it be done when the user logouts?

Great project! I'm getting started with integrating this (via nhost) to Nuxt.js and have come across an issue.

I'm using the default @nuxtjs/auth module, which requires an endpoint to fetch user data:

auth: {
  strategies: {
    local: {
      endpoints: {
        login: { url: '<url>/auth/login', method: 'post', propertyName: 'token' },
        logout: false,
        user: { url: '<url>/auth/user', method: 'get', propertyName: 'user' }
      },
    }
  }
}

the user endpoint requires a response similar to this:

{
  "user": {
    <user_data>
  }
}

Would it be possible to add an endpoint that runs a query like this?

query user($username: String!) {
  users(where: {username: {_eq: $username}}) {
    username
    id
    created_at
  }
}

Hi @elitan ,
I think two step (factor) authentication can be very useful for many applications. I recently implement this in LoopBack based on below article:
https://jordankasper.com/two-factor-authentication-with-loopback/
and use this library:
https://github.com/speakeasyjs/speakeasy

Later I see this library: https://passwordless.net/

For testing purpose I think we need print 2FA code on console and a setting option for example called send 2FA code by: to select gateway for send 2FA code (for example we can suggest some option here: send 2FA code through mail plugin, web hook call, sms, ...)

I think this library is more better than other thinking
https://github.com/yeojz/otplib

Lets talk about this here 😉

Hi @elitan,
It seems you are changing activate account from GET to POST.
Let's discuss about it in related commit:
cca72e8#diff-0d0de5d9ddbfa61dbbb85bd82bc412bb

Ex. HASURA_GQE_ADMIN_SECRET should be HASURA_GRAPHQL_ADMIN_SECRET

etc!

Hi @elitan
I suggest to switch from graphql-request to graphqurl because it's more active and it's introduce officially from Hasura ❤️
I think it's better to support our community available tools. 😉

I'm talking about this file:
https://github.com/elitan/hasura-backend-plus/blob/master/src/graphql-client.js

Should be in the README documented. But not in the first example because most people wont use it.

hi everyone,

really like the repo Jonah.
i am implementing it for an existing project. i have a fork because i need login with email and password :)

i am looking into implementing login with social media accounts too. i dont think auth0 is a solution as for high no of users costs can explode. i will feedback here if i get anywhere.

did you try this? was it on your radar?
do you have any suggestions?
thanks,
C

like firebase

Hi @elitan ,
We need some login try limitation solution. Something like #22 but for login.

Some approach:

1. Block user for X minute after Y unsuccessful login try.
2. Show captcha image after X unsuccessful login try.

We also need some new environment variable for this X, Y, ...
We also need implement this for both traditional and 2FA login mechanism after merge #29

Any chance documentation for migration can be included when schema changes? I'm not sure what is the best way to do so with the additional of the oauth providers and I can see in db-init.sql that the schema has significant changes

Right now the file read/write rules are embeded in this repo.

Should be handled in some other way.

Hi @elitan,
Thanks for this awesome repo, Can you explain how we can use USER_FIELDS for add custom user fields?
I can't find any example or note in ReadMe.md file.

Hi, just noticed there is a reference to undefined user variable in the /auth/logout route, the logout-all is ok

router.post('/logout', async (req, res, next) => {
  // get refresh token
  const schema = Joi.object().keys({
    refresh_token: Joi.string().uuid().required(),
  });

  const { error, value } = schema.validate(req.body);

  const { refresh_token } = value;

  // delete refresh token passed in data
  let mutation = `
  mutation (
    $refresh_token: uuid!,
  ) {
    delete_refresh_token: delete_${schema_name}refresh_tokens (
      where: {
        refresh_token: { _eq: $refresh_token }
      }
    ) {
      affected_rows
    }
  }
  `;

  let hasura_data;
  try {
    hasura_data = await graphql_client.request(mutation, {
      user_id: user.id,
    });
  } catch (e) {
    console.error(e);
    // console.error('Error connection to GraphQL');
    return next(Boom.unauthorized('Unable to delete refresh token'));
  }

  res.send('OK');
});

hasura-backend-plus_1  | POST /auth/logout 401 84 - 5.430 ms
hasura-backend-plus_1  | ReferenceError: user is not defined
hasura-backend-plus_1  |     at router.post (/app/src/auth/auth.js:166:16)
hasura-backend-plus_1  |     at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)
hasura-backend-plus_1  |     at next (/app/node_modules/express/lib/router/route.js:137:13)
hasura-backend-plus_1  |     at Route.dispatch (/app/node_modules/express/lib/router/route.js:112:3)
hasura-backend-plus_1  |     at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)
hasura-backend-plus_1  |     at /app/node_modules/express/lib/router/index.js:281:22
hasura-backend-plus_1  |     at Function.process_params (/app/node_modules/express/lib/router/index.js:335:12)
hasura-backend-plus_1  |     at next (/app/node_modules/express/lib/router/index.js:275:10)
hasura-backend-plus_1  |     at Function.handle (/app/node_modules/express/lib/router/index.js:174:3)
hasura-backend-plus_1  |     at router (/app/node_modules/express/lib/router/index.js:47:12)
hasura-backend-plus_1  | Unable to delete refresh token
hasura-backend-plus_1  | Error: Unable to delete refresh token
hasura-backend-plus_1  |     at router.post (/app/src/auth/auth.js:171:22)
hasura-backend-plus_1  |     at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)
hasura-backend-plus_1  |     at next (/app/node_modules/express/lib/router/route.js:137:13)
hasura-backend-plus_1  |     at Route.dispatch (/app/node_modules/express/lib/router/route.js:112:3)
hasura-backend-plus_1  |     at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)
hasura-backend-plus_1  |     at /app/node_modules/express/lib/router/index.js:281:22
hasura-backend-plus_1  |     at Function.process_params (/app/node_modules/express/lib/router/index.js:335:12)
hasura-backend-plus_1  |     at next (/app/node_modules/express/lib/router/index.js:275:10)
hasura-backend-plus_1  |     at Function.handle (/app/node_modules/express/lib/router/index.js:174:3)
hasura-backend-plus_1  |     at router (/app/node_modules/express/lib/router/index.js:47:12)```

Add a simple /health endpoint returning 200.

Hey.
I have a question, is it possible if I am using react-admin to use your package for authorization there?

Hi,
In the get_claims_from_request method, can you bypass JWT validation if we pass x-hasura-admin-secret header from HTTP request ?

Useful if token has been compromised.

I've had a quick look around, but I don't think there is such a thing as a GraphQL wrapper for Amazon AWS. Would it be preferable to develop this externally and import to HBP at a later date?

It would be really useful to have a GraphQL endpoint for the file API in HBP. Ideally, it should be possible to create, read, update and delete files.

Creating files

Here is a specification for uploading files. The implementation will need a bit of work to smoothly work with AWS, particularly large files. This could be implemented at a later date, as there is already a workable upload solution.

It will either need a custom GraphQL type, or else require the file to be encoded as a base64 blob (very large files might prohibit this).

Reading files

The listObjects provides a method for listing objects. It looks like you can get metadata for all objects like this, though I'm not sure how is best to implement the folder structure through GraphQL (i.e. folders and files in the same directory).

There's an issue of pagination that some users may face (1000 items maximum), but there are ways round that.

You might need to work out whether it would be more efficient to use headObject or listObjects depending on the GraphQL query.

Updating files

I can't seem to find the appropriate endpoint for updating files, possibly you should delete and re-add the file.

Deleting files

You can delete multiple objects with the deleteObjects property, but I think you need to reference the unique ID assigned by the bucket. In order to delete in a GraphQL-compliant way (i.e. deleting by an arbitrary reference), you may need to get the bucket data before.

An idea for implementing into Nhost would be as a remote schema. Is it possible to create a new Hasura instance with preconfigured remote schemas? If so, you could add an authentication key as an environment variable.

Right now the name hasura-backend-plus is a long name, not really unique and it does not feel it has its own 'soul'.

My idea is to change the repo name to something easier, smaller and catchier with just a single name? Like:

• yeasura
• blace
• moritter

or something similar.

My idea is to also add a js sdk. Much like firebase-js-sdk that will handle auth and storage more easiely. Like:

    const upload_res = await <reponame>.upload('product-images/', [this.image_upload], (progressEvent) => {
      console.log('new progress event');
      console.log(progressEvent);
    });

1. Thoughts on the idea to change the repo name?
2. Any name suggestions? (optional)

ex: nhost.io,facebook.com,google.com

Firebase has:

https://firebase.google.com/docs/auth/limits

We should implement something similar.

Trying to login with a registered user i get the following output from the logs:

hasura-backend-plus_1  | user: {
hasura-backend-plus_1  |   "id": 1,
hasura-backend-plus_1  |   "password": "$2a$10$WiMG2bz7Vnkv0cMLdn4i1.9LCNEPtixGOYv.DBYDmxt3aDoQ0KiEm",
hasura-backend-plus_1  |   "active": true,
hasura-backend-plus_1  |   "default_role": "user",
hasura-backend-plus_1  |   "roles": []
hasura-backend-plus_1  | }
hasura-backend-plus_1  | Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
hasura-backend-plus_1  |     at Sign.sign (internal/crypto/sig.js:80:26)
hasura-backend-plus_1  |     at Object.sign (/app/node_modules/jwa/index.js:76:45)
hasura-backend-plus_1  |     at Object.jwsSign [as sign] (/app/node_modules/jws/lib/sign-stream.js:32:24)
hasura-backend-plus_1  |     at Object.module.exports [as sign] (/app/node_modules/jsonwebtoken/sign.js:198:16)
hasura-backend-plus_1  |     at Object.generateJwtToken (/app/src/auth/auth-tools.js:25:16)
hasura-backend-plus_1  |     at router.post (/app/src/auth/auth.js:306:32)

I know it has something to do with the keys. I generated the keys from the terminal using:

ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key
openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub

tried to verify the signature at jwt.io and it was a valid signature. Seeing the hasura-backend minio example it shows that both need to be the public keys. What am I doing wrong?

Maybe it's better to add expiration time to email_token field and activate-account mechanism.
It's a general scenario.
Thanks brow.

@elitan nice job with this library.
I think we can split this project in two small projects.
One for authentication only and one for storage only. What do you think of this approach?

And we can use the docker-compose to merge both with hasrua/graphql-engine.

Right now I started making hasura-auth. And @toastedtoast has started hasura-storage, both forked from HB+.

But I think we can unify all this projects in a organization with HB+ splited.

What do you think?

cc\ @mnlbox

Hi,
@elitan As we talk later it's a good improvement if we can change current authentication approach to passport.js based approach.
My other suggestion is to separate authentication strategy implementation from Auth layer. For example Auth layer can be a simple GraphQL mutation or REST layer and we can edit this with file outside docker image based on http://www.passportjs.org/ or any other authentication implementation. Something like you done for storage-rule in:

volumes:
  ./storage-rules.js:/app/src/storage/storage-rules.js

passportjs has a lot of authentication strategy (LDAP, 2FA, ...)

Companies or apps have a vary type of authentication logic and if we can separate it as authentication.js form HB+ core as a volume binded file outside docker we can support many strategies.
Passport.js contains 502 authentication strategy now. It's most powerful authentication solution I think. You can find many authentication here: http://www.passportjs.org/packages/

For example this 2FA can useful for mobile apps and social networks: http://www.passportjs.org/packages/passport-2fa-totp/

Or we can use http://www.passportjs.org/packages/passport-ldapauth/ because we have Active Directory in my company.

I guess if we can get passport.js working with HB+ with a good way to configure it, it should work with any passport provider. 😉

I have a question regarding /login route. When server authenticates the user, http only cookie is created and sent to the client. I want to know why ? .. because Hasura in JWT mode cannot read JWT from cookie to create authorization header as explained here
Does this cookie have any other purpose?

Hi @elitan,
It's awesome example. Please add this to community folder as other guys suggest in this issue: hasura/graphql-engine#1446

Thanks man

Now expiresIn is hard coded in auth-tools.js.
We need calculate this based on REFETCH_TOKEN_EXPIRES variable.

Related line:
https://github.com/elitan/hasura-backend-plus/blob/d38d9bce780f246b4adeb02fb1e7a72ac31d9dbd/src/auth/auth-tools.js#L22

Hi @elitan,
I want to add some business logic to my Hasura and see that this repo is good as a start point.
Can you guide me about how we can do this?
Are you any suggestion for me?
Are you any plan to simplify this use-case? (customized business logic)

@elitan Now someone don't need auth because for example they are using Auth0 (For example like @marcokoeppel-merck and his fork https://github.com/toastedtoast/hasura-storage) or don't need storage I think maybe it's better to ability to disable /auth or /storage totally with an environment variable.

@marcokoeppel-merck can you do this as a PR?
Thanks