A Way to Use Hasura as the Hasura Auth Provider?

[zicklag]

I know that Hasura has intentionally delegated authentication to external providers, but I'm curious if there is a place for a simple way to use the PostgreSQL database or Hasura itself to back the authentication.

I'm not a beginner and I'm not afraid to setup an auth provider, nor do I think that it is super complicated to do so, but at the same time, the application I'm designing doesn't really need to delegate auth to a separate server. The typical workflow of having a first user setup form that creates the admin user and then storing all the users in the same database as the rest of the application would work great.

Has anybody ever implemented the pattern where Hasura uses itself as the auth provider? I'm pretty sure we would need like a "sidecar" web service that you would use to power webhook-mode authentication, then that service would just go back and make a mutation to a login GraphQL endpoint that anonymous users can use to get a login session.

Would it make any sense to build something like this into Hasura so that the user doesn't have to? Or maybe we just want to create this "sidecar" web service and document the way to get it setup?

Any thoughts?

[EmrysMyrddin]

It have done exactly what you describe : A sidecar web server in nodejs and and a login Action which calls my sidecar. The sidecar then use Hasura endpoint to verify user's credentials.

You can find id here if you want to see implementation details : https://github.com/EmrysMyrddin/foodex/tree/master/auth

I'm agree that such sidecar could be provided directly by Hasura itself. At least to allow simple application to not deploy a sidecar, which is not very handy.

I also have an issue with my implementation. The login action returns this type :

type LoginResult {
  token: String!
  userId: uuid!
  user: user!
}

But a unauthenticated user can't get the user field because it was not logged in when he sent the request. I don't see any userland solution to avoid this problem.

[rishavs]

This is the main reason why I am not using Hasura right now. I don't want to add yet another moving gear in my app. Authentication is a solved problem and by not including the basic auth flows in hasura + postgres, the dev is forced to either create a side app or use cloud based solutions. Neither of which should be an enforced issue in 2020.

If I have to set up a nodejs auth server anyway, I might as well use postgraphile. I love everything about Hasura. But I always stop after making basic CRUD because setting up a separate auth service makes zero sense to me.

I really hope that the Hasura owners will rethink the decision on not bundling auth.

[EmrysMyrddin]

I'm agree that this could be good for simple projects, but it's not that simple to include an auth server into Hasura.

Even a basic auth flow can be difficult to setup. For example, you will probably need to setup some sort of emailing for being able to verify your user or send password reset links. This is why cloud base authentification services can be a good solution, even simple projects.

I understand the decision of not making this part of Hasura's scope, even if it's cumbersome for my own project.

[rishavs]

I fully agree this FR increases the overall scope of Hasura, but considering that I can't even think of any web app nowadays, which doesn't have auth needs, not having a baked in solution is needless friction for Hasura adopters. Specially, for solo developers like me who need to do backend, frontend, devops all by themselves.

My hope for Hasura is that it takes care of all my backend needs (app + db) and frees me to work on the frontend. of course, I am probably not the kind of user Hasura is targeting but seeing how many issues, tutorials, article etc. are around this very topic - I am sure this will be a welcome addition to Hasura's capability.

[tirumaraiselvan]

I know that Hasura has intentionally delegated authentication to external providers, but I'm curious if there is a place for a simple way to use the PostgreSQL database or Hasura itself to back the authentication.

You may want to checkout https://github.com/nhost/hasura-backend-plus which uses PG and Hasura for authn.

[galaczi]

Having to set up auth separately is the reason I am going with Strapi for a new project. Not taking away from the great work on Hasura, but it would be a better market fit if a basic auth flow would be included. Sending emails and such could be handled with exisiting tools, like triggers.

[zicklag]

@galaczi totally get the perspective, and it is some more work to setup the extra auth backend and such, but like @tanvibhakta, I can personally vouch for Hasura Backend Plus being a very effective solution. I've started using it and it has worked very well. Thanks for the tip @tirumaraiselvan :smile:.

I can understand Hasura's perspective and going either way with it, including or not including auth, but because it is more of a database engine, I think it makes sense that they don't include it. You are right, though, it does still leave a place un-filled where things like Strapi will take use-cases that people wouldn't use Hasura for.