Hasura Authorization #EasyGraphQLwHasura

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hello folks Oh CD I like how this looks like a hat let's talk about authorization in historia so let's say you have some users who want to edit some data let's say you have three types of users HR manager and employee the permissions are useful when you want to control who can edit what for example a manager can only edit their own employees data and HR can edit everything authorization rules allow you to control permissions like this now the other thing to understand here is that Hazara has fine-grained access control based on user roles role based fine-grained access control it's like a tongue twister fine based role grained access control let's take a look at how this works so when I asked my friends what characters I should use for this demo they suggested to show the good place and I actually love that show so here we are we have Michael as our manager we have Chitti and Eleanor as our employees and we have Janet as our HR so the question is what should each of these roles be able to do in our database Janet as the HR can do all the things right so she can select insert update and delete Michael as the manager can select an update only his report 'is data and he can't insert or delete any data CD and Eleanor can only select their own data and they can't do much else so let me show you how to implement this as you may already know you can get started with us to rev really quickly just click this here okuu button right here and you can also click deploy to Heroku after that and here you enter the app name and deploy app and it's just gonna like this is a little bit sped up but it's gonna deploy in less than 30 seconds in real life and you can view your app right now and it will take you to the historic console up here it says secure your end point on the top right so we're going to go ahead and do that manage app and go to settings reveal config VARs we're gonna add a secret an admin secret right here we're gonna call it super secret demo and click Add and then now if you go back and reload the page it's gonna ask for our secret so just enter the secret that we just set up and now we can access the console on the top we have our graph QL endpoint this is where we can post our requests we have our headers where we're currently passing our admins secret and at the bottom we have graphical it's like a playground where you can test out your queries and mutations and things so go to the data tab and we're gonna add a table and it's gonna be called employees it will be starting with an ID we'll call it u u ID type and we'll generate a random one and then we'll do name type text and we'll also add manager ID because employees are going to have managers which will also be employees so they will also have UUID let's also set a primary key here so ID will be our primary key and that's basically uniquely identifies a row of a table and add the table there we go so the ID is gonna be matched with manager ID we're gonna add a relationship and to add a relationship we're gonna add a foreign key so this means so our reference table will be employees also and the manager ID will reference the ID this means that the manager ID has to match the employee ID an existing ID in the employees table and we have some relationships here object relationships array relationships suggested based on our foreign key so we can just hit add here one manager has many employees and array relationship and we'll name this one manager because it will be the manager of the employees and we hit save there we got our first relationships set up let's add another table called payroll it will have ID type UUID and will generate a random one again and then let's have salary type integer and let's also have employee ID because every payroll will have an employee and every employee will have a payroll and it will be unique the employee ID will be unique this is a one-to-one relationship that we're gonna set up the primary key is ID and for the one-to-one relationship we'll add a foreign key in a second so we save that we create the table and now let's add the foreign key so the reference table is employees because the employee ID in the payroll table will match the ID in the employees table and we'll save that now if you go to the relationships tab we see our suggested relationship again because we have a one-to-one relationship so we could add right here like we did before or we could go to I'll show you a different way of doing it now which is more convenient if you have a lot of relationships so we have these suggested relations listed here and you can just click that track all and it will track all of them and it'll save you tons of work so go back to payroll relationships and we can see that our relationship was set up between payroll and employees so the IDS have to match now so in graphical now on the Left we can see all the tables we created and now let's add something please here we go let's start with Janet power HR we got an error because the UUID is null so let's make that nullable so let's go to manager ID and let's say nullable true and going back to insert row now we can insert a row and it will just be null and it will be cool with that and let's add Michael and we can see that Janet and Michael were added as expected and the UU IDs were auto-generated let's also add Eleanor because we got all our characters in our database and the manager is also Michaels UUID right there that we added so we added Eleanor and Chiddy with the manager ID from Michael let's get Janet's idea right now she's the HR and let's open a new tab with our payroll table let's set a salary for everybody and that's Janet's ID that I just pasted let's save that I'm gonna do the same thing for all of our users characters super fast I can move so fast it's amazing and then we went back to payroll and we can see now that all our payrolls have been added for each employee so now in the graphical tab we can actually see our relationships and everything so for employees we can get a name you can see all of our employees we can get the salary for each employee we can get the manager name for each employee and we can see that Eleanor's manager is Michael and Chili's manager is also Michael additionally we can get the employee for the employee because what if the employees are manager so let's get the employee for an employee so we can see that Michael has employed is Eleanor and Chitti and Janet does not have any employees what else we can look at payroll and payroll we can get the salary we can get the employee of a payroll can get the name on there so we can see now the salaries and the employees in the payroll table let's go to data payroll permissions let's set up our permissions now let's add HR and let's insert without any checks because HR can do everything right so we have column insert permissions without any checks right now so we're gonna save that for HR and select update and delete should have the same thing going on so we can just go back to insert and we can just clone the same thing so let's clone that for select for HR will clone it for update for HR and we'll clone it for delete for HR and once we save that that saves us a lot of work again that nice shortcut there so we can see that HR now has all the permissions for all the things and next let's add employee employees can select their own data right so we'll say with custom check employee ID on the payroll table equals the user ID from the session which we pass in with the header so this ensures that whoever's checking the employee data is the employee themselves so we save that and we're good there let's add a manager role and managers can select and update their own report ease data so we'll do a custom check the employee of the payroll is going to have a man your ID that equals the user ID from the current session so the current user is the manager of the employee of the payroll so that's what this is saying and toggle all the columns and save permissions so for the update permissions it's going to be the same as the Select permission so we'll just say with same custom check as select there we go that's what we want so we save the permissions and I accidentally wrote payroll instead of payrolls I'm gonna fix that real quick by going to this sequel link on the left and we can just enter raw sequel here so that's kind of convenient too and let's track everything in the graph fuel API and now as you can see it's plural payrolls we can go back to graphical now and fix this payroll query to be payrolls and now we can get all our payrolls like before go back to data employees and permissions let's just set the permissions for the employees table also so everybody should be able to select everything just for the demo purposes so we'll say without any checks toggle all save permissions and let's just clone this to all the other ones so clone it to update oh no clone it for the employee for the HR clone it for the manager and save permissions there we go now everyone can select all the employees so in the graphical tab we have our headers and we're gonna now pass roles in our headers so normally you would pass in a jade OEt token you would say authorization for the key and in the value you would say bearer and then you would pass in a token here that you're off service provider might generate so we for demo purposes we'll just first I will show you a simple version so we'll delete our admin secret first delete that and going back we'll say X asura role HR X so sir a user ID and we'll get a user ID from Janet and paste it in there so the JWT token basically has this information in it and now you can see a chart can select all the payrolls what if we say manager and get Michael's ID Michael can only see his report his ID Eleanor and Chitti what about Eleanor as an employee what can Eleanor see Eleanor can only see her own information what about Gd what kaanchi DC I mean theoretically it should be just his own yep how did I know that I have amazing prediction skills so as you can see you can't do a mutation as an employee you can only query things because we said that employees can only query things that's how we set up the permissions but if we go back to a manager role here now paste in Michael's ID again and look there again you can see now we can run a mutation because Michael can actually update and insert data so let's try to do that adding a mutation to update payrolls where the employee ID equals let's get Eleanor's ID and we'll set her salary to 1,000 and let's try to run this mutation now we say we get an error must have a selection of subfields so this means you just need to return something in response but you can also just check affected rows to get rid of this error so we'll do that so we run it again and here we go we updated Eleanor's salary to 1000 let's see if we can do the same for chibi my mutation and going back to the data tab we can actually view the payroll on each employee so let's go do that and Eleanor salary is now 1,000 I want to check GD salary also yep we got 1,000 for chibi salary also so we've confirmed that our mutations worked as a manager now we can go back to history look at our history to run our mutation from before and go back to the data tab employees and let's get Janet's ID and let's have Michael try to update Janet's salary let's see if that will work and nice try Michael but that did not work because Janet is not your reporting there we go so now I'm gonna uncheck these roles and I'm gonna show you the more real-world scenario where you would pass in a JWT token so I'm adding my secret back reloading the page entering my secret here we are we go to this website called JSON web token des IO to encode or decode JW T's so it has the header payload and a secret so for the secret we just pass in a random string for the payload I'm just pasting in the roles that we were passing in before so we have allowed roles we have the default role we have the user ID so the secret has to match the secret in our settings so let's add that real quick I'm going to add a new key basura graph QL JWT secret and paste this in here with the type and the key itself and we'll add that going back to here we now have a GWT string with all this information in it so all we have to do is uncheck all this old stuff and we'll add authorization and we'll say bearer and we'll paste in the j-dub T string and we are the manager or Michael now let's see what happens we can see the payrolls for Elinor and Chi D and that's what should happen so that's good so there we go this is how you can set up authorization rules this is just like a simple example if you'd like to see more examples check out the blog post that's linked in the description and have fun with it see you next time
Info
Channel: Hasura
Views: 6,568
Rating: undefined out of 5
Keywords: EasyGraphQLwithHasura, GraphQL, Authz
Id: rkN3RQBi_UI
Channel Id: undefined
Length: 18min 52sec (1132 seconds)
Published: Wed Apr 15 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.