这是indexloc提供的服务,不要输入任何密码
Skip to content

Allow auth webhook to set cookies on response #2269

New issue
New issue
Closed
Closed
Allow auth webhook to set cookies on response#2269
Assignees
0x777purugupta99
Labels
a/authnIssues related to "authentication" and capturing session claims from an API callc/serverRelated to servere/quickfixcan be wrapped up in few hoursk/enhancementNew feature or improve an existing featurep/highcandidate for being included in the upcoming sprintp/mediumnon-urgent issues/features that are candidates for being included in one of the upcoming sprints
@BenoitRanque

Description

@BenoitRanque
BenoitRanque
opened on May 25, 2019

Hasura does not currently (unless I'm doing something wrong) forward the Set-Cookie header from auth webhooks. This issue is similar to but different from #1654

Use cases:

  • Setting a tracking cookie on unauthenticated requests
  • Resetting cookie maxAge on each request. This would be very useful for cookies that expire within a set, short amount of time.

One option would be to forward the Set-Cookie header set by auth webhook to the response.

Another, more explicit option would be for the webhook to explicitly respond with a cookies object, and for those to be set on the response.

Here are two possible syntaxes for the auth webhook response:

{
    "X-Hasura-User-Id": "25",
    "X-Hasura-Role": "user",
    "X-Hasura-Is-Owner": "true",
    "X-Hasura-Custom": "custom value",
    "Cookies": {
        "<cookie-name>": {
            "Value": "<cookie-value>",
            "Expires": "<date>"
            "Max-Age": <non-zero-digit>,
            "Domain": "<domain-value>",
            "Path": "<path-value>",
            "Secure": <boolean>,
            "HttpOnly": <boolean>,
            "SameSite": "<Strict/Lax>"
        }
    },
    "Cookies": [
        {
            "Name": "<cookie-name>",
            "Value": "<cookie-value>",
            "Expires": "<date>"
            "Max-Age": <non-zero-digit>,
            "Domain": "<domain-value>",
            "Path": "<path-value>",
            "Secure": <boolean>,
            "HttpOnly": <boolean>,
            "SameSite": "<Strict/Lax>"
        }
    ]
}

Another, even more general purpose way would be to allow a special headers property. This would allow the webhook to set any header. Example syntaxes:

{
    "X-Hasura-User-Id": "25",
    "X-Hasura-Role": "user",
    "X-Hasura-Is-Owner": "true",
    "X-Hasura-Custom": "custom value",
    "Response-Headers": [
        {
            "name": "Set-Cookie",
            "value": "<cookie-name>=<cookie-value>; Expires: <date>; Max-Age: <non-zero-digit>; Domain: <domain-value>; Path: <path-value>; Secure: <boolean>; HttpOnly: <boolean>; SameSite: <Strict/Lax>",
        }
    ],
    "Response-Headers": [
        "Set-Cookie: <cookie-name>=<cookie-value>; Expires: <date>; Max-Age: <non-zero-digit>; Domain: <domain-value>; Path: <path-value>; Secure: <boolean>; HttpOnly: <boolean>; SameSite: <Strict/Lax>",
    ]
}

Metadata

Metadata

Assignees

Labels

a/authnIssues related to "authentication" and capturing session claims from an API callc/serverRelated to servere/quickfixcan be wrapped up in few hoursk/enhancementNew feature or improve an existing featurep/highcandidate for being included in the upcoming sprintp/mediumnon-urgent issues/features that are candidates for being included in one of the upcoming sprints

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions