search

hasura / graphql-engine

Blazing fast, instant realtime GraphQL APIs on your DB with fine grained access control, also trigger webhooks on database events.
https://hasura.io
Apache License 2.0
31.18k stars 2.77k forks source link

REST endpoints do not send request body to auth webhook #10512

Closed ProfXponent closed 2 weeks ago

ProfXponent commented 2 months ago

Version Information

Server Version: v2.37.0

Environment

CE

What is the current behaviour?

When authenticating REST endpoint calls hasura does not sent the REST request body.

This causes problems with platforms like stripe where you need to verify the stripe webhook request body with their stripe-signature header.

Using hasura in the POST auth webhook configuration just passes a null request body to the auth webhook making it impossible to verify that validity of the stripe webhook call.

What is the expected behaviour?

That hasura would pass along the gql request body for the underlying REST endpoint as the documentation describes.

How to reproduce the issue?

  1. Create an auth webhook and run hasura in POST auth webhook mode
  2. Create a REST endpoint in hasura making a authenticated gql query
  3. Log the request body of the auth webhook call.
  4. Verify the headers property and note the null value of the request property.

Please provide any traces or logs that could help here.

web                             | [NEXT] body {
web                             | [NEXT]   headers: {
web                             | [NEXT]     Accept: '*/*; q=0.5, application/xml',
web                             | [NEXT]     'Accept-Encoding': 'gzip',
web                             | [NEXT]     'Cache-Control': 'no-cache',
web                             | [NEXT]     'Content-Length': '7159',
web                             | [NEXT]     'Content-Type': 'application/json; charset=utf-8',
web                             | [NEXT]     Host: 'graphql-engine.prof.dev.x.sh',
web                             | [NEXT]     'Stripe-Signature': 't=1724395973,v1=xxx',
web                             | [NEXT]     'User-Agent': 'Stripe/1.0 (+https://stripe.com/docs/webhooks)',
web                             | [NEXT]     'X-Forwarded-For': '192.168.65.1',
web                             | [NEXT]     'X-Forwarded-Host': 'graphql-engine.prof.dev.x.sh',
web                             | [NEXT]     'X-Forwarded-Port': '443',
web                             | [NEXT]     'X-Forwarded-Proto': 'https',
web                             | [NEXT]     'X-Forwarded-Server': '01b8639a93c8',
web                             | [NEXT]     'X-Real-Ip': '192.168.65.1',
web                             | [NEXT]     'x-request-id': 'c7764582-44fc-491c-b186-ab7f8c1986b1'
web                             | [NEXT]   },
web                             | [NEXT]   request: null
web                             | [NEXT] }

Any possible solutions/workarounds you're aware of?

Writing a Go service to do this instead.

rakeshkky commented 2 months ago

Hi @ProfXponent, please check the following server flag or env var is configured.

Configure them to true. Ref: https://hasura.io/docs/2.0/deployment/graphql-engine-flags/reference/#send-request-body-to-auth-hook

ProfXponent commented 2 weeks ago

@rakeshkky thank you, I think this resolves the issue for me