Changelog

❗ Fixes a critical security vulnerability. See more details in the security advisory.

Changelog

Highlights

Import OpenAPI endpoint as an action (Enterprise edition only)

This console feature makes it easy to import an endpoint with an OpenAPI definition as a Hasura Action. It allows you to upload or paste the OpenAPI definition (json or yaml), and it will automatically convert this into action definition. This is an alpha release of the feature and requires enabling of feature flag to try it out (Settings -> Feature Flags -> Import action from OpenAPI).

Subscriptions on CockroachDB and Citus

Support added for Subscriptions (Live Queries and Streaming Subscriptions) on CockroachDB & Citus databases

Two new metrics are added for event triggers to Prometheus: (Enterprise edition only)

Validations for Response Transforms

Response Transforms will now be validated for the following metadata API endpoints:

• create_event_trigger
• create_cron_trigger
• create_action
• update_action
• test_webhook_transform

As a result, now both request and response transforms will be validated for the above metadata API endpoints.

New 'toggle all' button to select all the columns for update operation event triggers.

• Create Event:

  

• Edit Event:

  

Control log spamming of JWK refreshes

Many JWK providers have a Cache-Control policy which makes Hasura refresh them every second and pollute the logs. Before this release, the jwk-refresh-log type was not configurable. Now, jwk-refresh-log type has been added as a configurable log type, so that users can disable it in case their logs are getting spammed. To prevent a breaking change for existing users, we have also added jwk-refresh-log type to default enabled log types. (related to #8611)

Behaviour changes

Changes to capturing query variables in logs (Enterprise edition only)

Fix the application of analyze_query_variables setting to avoid leaking of query variables in the logs.

Request/response transform template validation error for Rest Connectors

Updates the request/response template validation error (for create_event_trigger, create_cron_trigger, create_action, update_action and test_webhook_transform metadata APIs):

• The HTTP status code has been changed from 200 to 400 for metadata APIs with wrong transformation templates.
• The response body has been changed to be uniform across the metadata APIs.

Example, for response for a wrong transformation template:

[
  {
    "error_code": "Parse Error",
    "message": "Unexpected token '}'.",
    "source_position": {
      "end_column": 15,
      "end_line": 0,
      "start_column": 14,
      "start_line": 0
    }
  }
]
         

{
  "code": "validation-failed",
  "error": "request transform validation failed",
  "path": "$.args",
  "internal": [
    {
      "error_code": "Parse Error",
      "message": "Unexpected token '}'.",
      "source_position": {
        "end_column": 15,
        "end_line": 0,
        "start_column": 14,
        "start_line": 0
      }
    }
  ]
}
        

Bug fixes and improvements

Server

• Fix streaming subscription input type names for graphql-default
• Support use of kriti template to generate query param for request transform from list of arguments.
• Add option to enable/disable event triggers on logically replicated tables
• Fix bug when an enum was used as a variable on a remote schema that has a custom prefix or suffix (fixes #9219)
• Hasura was incorrectly omitting 'all' scalar types and so it caused the printed schema to be invalid preventing users from using the new experimental support for Apollo federation. Now, as a fix we have removed all the 'built-in' scalars from our schema while keeping the 'custom' scalars. As a result, it should work for custom scalars such as UUID. (fixes #9115).
• Previously while creating an event trigger with Heroku instance, users were getting an error “Extensions can only be created on heroku_ext schema”. Now, we are making it easy for users to quickly resolve the error by providing a hint in the error message - “pgcrypto can only be created in heroku_ext schema. Hint: You can set \"extensions_schema\” (related to #8734).
• Introduce a new experimental feature flag hide_stream_fields which toggles off streaming features, to be used if these cause schema type name conflicts.
• Renaming get_event_invocations API to get_scheduled_event_invocations. The get_event_invocations API endpoint is not used for event trigger invocations, but for scheduled event invocations, thus the renaming.
• Add Prometheus metric for Postgres connection pool utilization (Enterprise edition only)

Console

• Adds SSO login capability to Hasura EE. (Enterprise edition only)
• Fix filter, sort, and pagination on nested browse rows views.
• Show roles created from allow list on Data, Remote Schema and Action permission tables
• Adds Enable Naming Convention checkbox to enable/disable naming convention in the GraphQL Field Customization section of Connect Database page.
• Restore the Custom Tracking Table modal, in case of naming conflicts
• Add toggle all button to select/unselect all the columns for event trigger update operation.

Build

• debian based images are no longer built, only Ubuntu is supported.

Changelog

This is a patch release for v2.15.0

Bug fixes and improvements

CLI

• Export missing response_transform field in actions metadata while exporting metadata (fix #9182)

Console

• Fix bug causing stale data being shown on the browse rows page while moving between tables
• Fix the export data to CSV and JSON on browse rows page when no filters are present
• Fix browse rows pagination and respecting filters and sorting from url params
• Fix broken REST button on GraphiQL in the API explorer

Changelog

Highlights

Support for CockroachDB (beta)

We are pleased to announce the beta release for CockroachDB datasource on the Hasura GraphQL Engine. In this beta release Hasura supports Queries and Mutations with plans to add support for subscription before the GA release, which will coincide with the release of CockroachDB v22.2 (tentatively scheduled for early December).

CockroachDB is a distributed SQL database built on a transactional and strongly-consistent key-value store. It scales horizontally; survives disk, machine, rack, and even datacenter failures with minimal latency disruption and no manual intervention; supports strongly-consistent ACID transactions; and provides a familiar SQL API for structuring, manipulating, and querying data.

Together with Hasura, CockroachDB now supports: Instant GraphQL & REST APIs, Declarative Role Based Authorization, Advanced Security and Performance with rate limiting, allow lists, and caching.

Minimum Version Requirements

• Hasura GraphQL engine v2.15.0 onwards
• CockroachDB v22.2 onwards

ODBC Driver 18 for SQL Server

The ODBC Driver 18 for SQL Server is now installed. This allows users to provide ODBC Driver 18 connection strings. Because this version has native support for arm64/aarch64, this means that Hasura GraphQL Engine can now connect to a MS SQL Server database when running on macOS with an aarch64 chip (M1 or M2).

Action and Event Trigger Improvements

1. Action Response Transforms on Console

Response transformation for Actions has been available in the API. Now you can configure response transforms on the console (below the payload transform section of the Action creation form). For more information see the docs here.

2. Support for optional query parameters

When defining optional query parameters for rest endpoints, if the input is empty, the query parameter is still attempted to be sent, which yields an error at most REST endpoints as mentioned in this issue. With this release, actions and event trigger REST connector query parameters are now optional. For more information please see documentation here.

3. Updates to JSON payload transformation templates

Transforming of payloads for Actions and Event Triggers in Hasura is achieved using the in-house developed templating language - kriti-lang. In this release we have updated it to version 0.3.3 which has the following changes:

• Adds elif syntax to if expressions.
• Improved error messaging and error codes.
• Allow arbitrary expressions as range iteratee.
• Adds Kriti.CustomFunctions.basicFuncMap functions to the kriti executable.
• Adds KritiError type to exports from Kriti.

New Batch Limit for increased API Security (Enterprise Edition Only)

Batch operations are basically an array of operations and hence prone to Denial of Service (DoS) attacks by supplying a very large number of operations. As a result, we have introduced a new batch limit to avoid this scenario on the API Limits section of the Security tab.

Elastic Connection Pooling (Cloud Only)

Introducing a new connection pool setting total_max_connections which is now the preferred way to manage Hasura instance pools and is configured per project to help with zero administration high reliability. This improves over the current functionality of max_connections setting which is per instance and often leads to exceeding the connections to the database at the project level. Connection pools in Hasura cloud have flexible maximum connections; pool's size is elastic in nature. When a project is scaled up or down, Hasura cloud automatically adjusts the number of maximum connections of sources' pools, including read replicas, to ensure consistent total maximum connections across all server instances.

Bug fixes and improvements

Server

• fix the behaviour where a default time limit of 60 seconds was applied when no api limits were set. (Enterprise edition only)
• Introduce a new experimental feature flag hide_aggregation_predicates which toggles off aggregation functions in where clauses, to be used if these cause schema type name conflicts.
• Make action/event trigger REST connector query params optional
• Postgres: change the name scheme for aggregation predicate types from <table name>_ <relation name>_aggregate to <relation table name>_aggregate_bool_exp, to avoid conflicting definitions with regular table selection aggregates.
• add IF EXISTS while dropping the constraint in source migrations (2 -> 3)
• fix remote relationship to remote schema sometimes being erroneously null when multiple relationships are defined on the same table / graphql object (fix #8345)
• pg_dump has been upgraded in order to support PostgreSQL 15.
• Add api limit - batch limit. batch limit - restricts the number of GraphQL operations for batched requests (Enterprise edition only)
• close the WS connection in case of Apollo-ws protocol (protocol value: graphql-ws), when there is no authentication present (admin secret or unauthenticated role)

Console

• Display Prometheus configuration in the console Settings page. (Enterprise edition only)
• Add Batch on Security -> API Limits tab to tackle GraphQL batching attacks. (Enterprise edition only)
• Fix remote schema permissions with null default value
• Fix remote schema permissions with interfaces
• Fix remote schema permission when there are arguments
• Show Total Max Connections pool settings fields on connect DB page (Cloud Only)
• Enable the Add operation to allowlist button on the monitoring tab

Changelog

Highlights

Support for CockroachDB (beta)

We are pleased to announce the beta release for CockroachDB datasource on the Hasura GraphQL Engine. In this beta release Hasura supports Queries and Mutations with plans to add support for subscription before the GA release, which will coincide with the release of CockroachDB v22.2 (tentatively scheduled for early December).

CockroachDB is a distributed SQL database built on a transactional and strongly-consistent key-value store. It scales horizontally; survives disk, machine, rack, and even datacenter failures with minimal latency disruption and no manual intervention; supports strongly-consistent ACID transactions; and provides a familiar SQL API for structuring, manipulating, and querying data.

Together with Hasura, CockroachDB now supports: Instant GraphQL & REST APIs, Declarative Role Based Authorization, Advanced Security and Performance with rate limiting, allow lists, and caching.

Minimum Version Requirements

• Hasura GraphQL engine v2.15.0 onwards
• CockroachDB v22.2 onwards

ODBC Driver 18 for SQL Server

The ODBC Driver 18 for SQL Server is now installed. This allows users to provide ODBC Driver 18 connection strings. Because this version has native support for arm64/aarch64, this means that Hasura GraphQL Engine can now connect to a MS SQL Server database when running on macOS with an aarch64 chip (M1 or M2).

Action and Event Trigger Improvements

1. Action Response Transforms on Console

Response transformation for Actions has been available in the API. Now you can configure response transforms on the console (below the payload transform section of the Action creation form).

2. Support for optional query parameters

When defining optional query parameters for rest endpoints, if the input is empty, the query parameter is still attempted to be sent, which yields an error at most REST endpoints as mentioned in this issue. With this release, actions and event trigger REST connector query parameters are now optional. For more information please see documentation here.

3. Updates to JSON payload transformation templates

Transforming of payloads for Actions and Event Triggers in Hasura is achieved using the in-house developed templating language - kriti-lang. In this release we have updated it to version 0.3.3 which has the following changes:

• Adds elif syntax to if expressions.
• Improved error messaging and error codes.
• Allow arbitrary expressions as range iteratee.
• Adds Kriti.CustomFunctions.basicFuncMap functions to the kriti executable.
• Adds KritiError type to exports from Kriti.

Bug fixes and improvements

Server

• Make action/event trigger REST connector query params optional
• Postgres: change the name scheme for aggregation predicate types from <table name>_ <relation name>_aggregate to <relation table name>_aggregate_bool_exp, to avoid conflicting definitions with regular table selection aggregates.
• add IF EXISTS while dropping the constraint in source migrations (2 -> 3)
• fix remote relationship to remote schema sometimes being erroneously null when multiple relationships are defined on the same table / graphql object (fix #8345)
• pg_dump has been upgraded in order to support PostgreSQL 15.
• Add api limit - batch limit. batch limit - restricts the number of GraphQL operations for batched requests (Enterprise Edition only)
• close the WS connection in case of Apollo-ws protocol (protocol value: graphql-ws), when there is no authentication present (admin secret or unauthenticated role)

Console

• Display Prometheus configuration in the console Settings page. (Enterprise Edition only)
• Fix remote schema permissions with null default value. Related issue
• Fix remote schema permissions with interfaces. Related issue
• Fix remote schema permission when there are arguments. Related issue
• Add Batch on Security -> API Limits tab to tackle GraphQL batching attacks. (Enterprise Edition only)
• Fixes failures/indefinite loading during operation inspection in monitoring tab. (Enterprise Edition only)
• Show Total Max Connections pool settings fields on connect DB page

Changelog

Highlights

GraphQL Type Generator in Actions

While creating a new Action, now you can use a type generator on the Console to easily create GraphQL types from JSON sample requests

Aggregate functions in where-clauses

We now support aggregation functions in where-clauses, initially requested in #1498, see docs.

This allows queries such as the following to fetch the names of students that have an average grade above a certain value across their science classes:

query {
  students(_where: {
   classes_aggregate: {
     average: {
       arguments: "grade",
       filter: {department: {_eq: "science"}},
       predicate: { _gt: 10 }
     }
  })
 {
   name
 }

Bug fixes and improvements

Server

• Aggregation Predicates now generate graphql types names which are less prone to conflicts. The entire feature can now be disabled via the experimental feature flag hide_aggregation_predicates.
• add IF EXISTS while dropping the constraint in source migrations (2 -> 3)
• pg_dump has been upgraded in order to support PostgreSQL 15.
• fix batch_size behaviour for auto event trigger log cleanup (Enterprise edition only)
• Use only accepted requests for calculating rate limiting (Enterprise edition only)
• When conflicting type definitions are encountered, show their definitions in the error message
• Remove spaces before colons in error messages and descriptions
• BigQuery: Strings in suitable notation are now permitted for all numerical input fields.
• Fix type name generation in the GraphQL schema for aggregation predicate functions to avoid conflicts
• Fix swapping of the the idle_timeout and max_connections fields for MySQL connection pool settings while applying metadata.
• Replacing the metadata will now reload all affected sources. Previously, the GraphQL Engine would re-use the cached data from the sources which could lead to a stale schema.
• Add origin of errors in error messages of streaming subscription to help find source of errors
• Extend the Config API to report whether the Prometheus metrics API has been enabled. (Enterprise edition only)
• Add hide_update_many_fields experiment feature flag which allows GraphQL Engine to be started without including _updates fields. This is useful for resolving errors where the new fields conflict with existing table names. (fix #8844)
• Avoid exporting the backend_only flag for delete permissions if it is set to false while exporting metadata to make it consistent with insert and update permissions.
• Support count-star aggregates in CockroachDB.
• Fix bug that didn't stream any data when the cursor column of a streaming subscription had a custom identifier set. (fix #8985)

Console

• Fixes failures/indefinite loading during operation inspection in monitoring tab. (Enterprise edition only)
• Add the functionality to customize the GraphQL field name for the update_many operation
• Fix dropping of existing configured response transforms while updating an action
• Show event trigger invocation logs on the console if only event logs are cleaned.
• Fix auto-cleanup frequent frequencies dropdown on event triggers modify page. (Enterprise edition only)
• Fix local object relationship deletion in new relationships page (fix #9024)
• Fix inserting of JSON object for Citus and CockroachDB (fix #9015)
• Fix browse rows page filters for BigQuery and add new operators (in, not in, like, not like) (fix #9023)
• Add Try it button on the table pages to quickly try GraphQL operations on the table using the API explorer.
• Fix export to CSV on the table browse rows page when special characters are present in the data. (fix #7537)

CLI

• Correctly export query_collections.yaml when query_collections object in metadata JSON contains at least one definition.queries as an empty array. (fixes #8787)

Changelog

This is a patch release for v2.13.0

Bug fixes and improvements

Server

• fix the behaviour where a default time limit of 60 seconds was applied when no api limits were set. (Enterprise edition only)

Changelog

Bug fixes and improvements

Server

• Aggregation Predicates now generate graphql types names which are less prone to conflicts. The entire feature can now be disabled via the experimental feature flag hide_aggregation_predicates.
• add IF EXISTS while dropping the constraint in source migrations (2 -> 3)

Console

• Enable the Add operation to allowlist button on the monitoring tab

Changelog

Highlights

Aggregate functions in where-clauses

We now support aggregation functions in where-clauses, initially requested in #1498, see docs.

This allow queries such as the following to fetch the names of students that have an average grade above a certain value across their science classes:

query {
  students(_where: {
   classes_aggregate: {
     average: {
       arguments: "grade",
       filter: {department: {_eq: "science"}},
       predicate: { _gt: 10 }
     }
  })
 {
   name
 }

GraphQL Type Generator in Actions

While creating a new Action, now you can use a type generator on the Console to easily create GraphQL types from JSON sample requests

Bug fixes and improvements

• server: When conflicting type definitions are encountered, show their definitions in the error message
• server: Remove spaces before colons in error messages and descriptions
• server: Strings in suitable notation are now permitted for all numerical input fields.
• server: Fix type name generation in the GraphQL schema for aggregation predicate functions to avoid conflicts
• server: Fix swapping of the the idle_timeout and max_connections fields for MySQL connection pool settings while applying metadata.
• server: Replacing the metadata will now reload all affected sources. Previously, the GraphQL Engine would re-use the cached data from the sources which could lead to a stale schema.
• server: Add origin of errors in error messages of streaming subscription to help find source of errors
• server: Add hide_update_many_fields experiment feature flag which allows GraphQL Engine to be started without including _updates fields. This is useful for resolving errors where the new fields conflict with existing table names. (fix #8844)
• server: Avoid exporting the backend_only flag for delete permissions if it is set to false while exporting metadata to make it consistent with insert and update permissions.
• server: Support count-star aggregates in CockroachDB.
• server: Fix bug that didn't stream any data when the cursor column of a streaming subscription had a custom identifier set. (fix 8985)
• console: Add the functionality to customize the GraphQL field name for the update_many operation
• console: Fix dropping of existing configured response transforms while updating an action
• console: Show event trigger invocation logs on the console if only event logs are cleaned.
• console: Move auto-cleanup config on event triggers modify page
• console: Fix local object relationship deletion in new relationships page (fix #9024)
• console: Fix inserting of JSON object for Citus and CockroachDB (fix #9015)
• console: Fix browse rows page filters for BigQuery and add new operators (in, not in, like, not like) (fix #9023)
• console: Add Try it button on the table pages to quickly try GraphQL operations on the table using the API explorer.
• console: Fix export to CSV on the table browse rows page when special characters are present in the data. (fix #7537)
• cli: Correctly export query_collections.yaml when query_collections object in metadata JSON contains at least one definition.queries as an empty array. (fixes #8787)

Changelog

Auto cleanup for event triggers

(Enterprise edition only)

You can now configure automatic clean up of event triggers logs with various configuration parameters. Read more about it here

Source health checks

(Enterprise edition only)

Introducing health checks for data sources. Health check on a source can be enabled and configurable via an optional health_check field in the source metadata.
Example for a Postgres source.

POST /v1/metadata HTTP/1.1
Content-Type: application/json
X-Hasura-Role: admin

{
  "type":"pg_add_source",
  "args":{
    "name":"<db_name>",
    "configuration":{
      "connection_info":{
        "database_url":{
          "from_env":"<DATABASE_URL_ENV>"
        }
      }
    },
    "health_check": {
      "test": {
        "sql": "SELECT 1"
      },
      "interval": 300,
      "timeout": 5,
      "retries": 3,
      "retry_interval": 5
    }
  }
}

Please refer to our docs for more information.

Reporting source health check

(Enterprise edition only)

Health check reports of sources can be obtained through a GET request from the /healthz/sources, an admin-only endpoint, on demand. Learn more about the API here.

Currently, Hasura supports enabling health checks on Postgres and MS SQL Server databases. Support for other data sources will be added soon.

Bug fixes and improvements

• server: Strings in suitable notation are now permitted for all numerical input fields.
• server: Fix bug that didn't stream any data when the cursor column of a streaming subscription had a custom identifier set.
• server: fix handling non-latin text elements in array literals in Postgres (fix #8961)
• server: Make args optional in BigQuery computed fields that are backed by functions that don't take any user-specified arguments. (close #8904)
• server: Fix an issue the server's handling of the graphql-ws protocol, in which the server can cause an infinite ping-pong loop. (fix #8967)
• server: Add get_rows_count arg in get_event_invocations and get_scheduled_events metadata APIs, when it is false, the total rows count is not included in the response.
• server: drop associated event triggers when a source is removed via the replace_metadata metadata API
• server: update tracing log to use original hex values sent in request header
• server: Improve error reporting when root fields originating from Actions or Remote schemas conflict
• server: fix applying migrations when the same SQL function is used as both a computed field and as a root field (fix #8643)
• server: Support 128-bit trace ids (Enterprise edition only)
• console: fix local object relationship deletion in new relationships page (fix #9024)
• console: Add a shortcut for creating a query collection operation using the introspection query or any query defined in the GraphiQL tab
• console: add schema preview for remote schemas
• console: Remove the old allow list section and add a link to the new Allow List Manager in the settings.
• console: Fix column selection bug for select and insert permissions on the table permissions page (fix #8937)
• console: allow users to edit comments on DB views using the console (fix #8846)
• console: allow resizing GraphiQL in API explorer (fix #8880)
• cli: Fix schema block being dropped from SDL when exporting remote schema permissions (fix #8579)