-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy path2-hasura-jwt-auth.sql
61 lines (56 loc) · 2.22 KB
/
2-hasura-jwt-auth.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
\connect example
create table hasura_user(
id serial primary key,
email varchar unique,
crypt_password varchar,
cleartext_password varchar,
default_role varchar default 'user',
allowed_roles jsonb default '["user"]',
enabled boolean default true,
jwt_token text
);
create or replace function hasura_encrypt_password(cleartext_password in text, salt in text) returns varchar as $$
select crypt(
encode(hmac(cleartext_password, current_setting('hasura.jwt_secret_key'), 'sha256'), 'escape'),
salt);
$$ language sql stable;
create or replace function hasura_user_encrypt_password() returns trigger as $$
begin
if new.cleartext_password is not null and trim(new.cleartext_password) <> '' then
new.crypt_password := (hasura_encrypt_password(new.cleartext_password, gen_salt('bf')));
end if;
new.cleartext_password = null;
new.jwt_token = null;
return new;
end;
$$ language 'plpgsql';
create trigger hasura_user_encrypt_password_trigger
before insert or update on hasura_user
for each row execute procedure hasura_user_encrypt_password();
-- https://docs.hasura.io/1.0/graphql/manual/auth/authentication/jwt.html#configuring-jwt-mode
create or replace function hasura_auth(email in varchar, cleartext_password in varchar) returns setof hasura_user as $$
select
id,
email,
crypt_password,
cleartext_password,
default_role,
allowed_roles,
enabled,
sign(
json_build_object(
'sub', id::text,
'iss', 'Hasura-JWT-Auth',
'iat', round(extract(epoch from now())),
'exp', round(extract(epoch from now() + interval '24 hour')),
'https://hasura.io/jwt/claims', json_build_object(
'x-hasura-user-id', id::text,
'x-hasura-default-role', default_role,
'x-hasura-allowed-roles', allowed_roles
)
), current_setting('hasura.jwt_secret_key')) as jwt_token
from hasura_user h
where h.email = hasura_auth.email
and h.enabled
and h.crypt_password = hasura_encrypt_password(hasura_auth.cleartext_password, h.crypt_password);
$$ language 'sql' stable;