I'm trying to implement a role switcher.

Assumptions

• Users table has a current_role column which is set with a default role of contributor.
• Session variable X-Hasura-Role for each request is set to whatever current_role is set to for the user.

Logic
A user with claim X-Hasura-Allowed-Roles set to ['contributor', 'editor'] should be able to send a mutation to update his current_role to be one in the array and only one of those.

Implementation of permissions to update users table for each role

• Pre-update check: {"id":{"_eq":"X-Hasura-User-Id"}}
• Post-update check: {"current_role":{"_in":"X-Hasura-Allowed-Roles"}}

Implementation of mutation

mutation SwitchUserRole {
  update_users_by_pk(pk_columns: {id: "some-id"}, _set: {current_role: "some-role"}) {
    id
    email
    current_role
  }
}

Expected result

• Mutation should be successful when current_role is set to editor in this example, as X-Hasura-Allowed-Roles is set to ['contributor', 'editor'].
• Mutation should fail when current_role is set to anything else, like manager.

Actual result
Mutation always fails with the following error:

{
  "errors": [
    {
      "extensions": {
        "path": "$",
        "code": "not-found"
      },
      "message": "missing session variables: \"x-hasura-allowed-roles\""
    }
  ]
}

Running Hasura 2.0.0-alpha.10