-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: added endpoint to "elevate" permissions using webauthn #451
Conversation
🦋 Changeset detectedLatest commit: 0c2ff8b The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
src/routes/elevate/webauthn.ts
Outdated
userId: user.id, | ||
checkMFA: false, | ||
extraClaims: { | ||
[`x-nhost-auth-elevated`]: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
instead of setting to true, set to user.id
so it can be used in hasura permissions to match against the user
and SnakeCasing please to match default headers such as X-Hasura-User-Id. Unless that would already be for the claim added to headers
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
instead of setting to true, set to user.id so it can be used in hasura permissions to match against the user
Good idea.
and SnakeCasing please to match default headers such as X-Hasura-User-Id. Unless that would already be for the claim added to headers
HTTP headers are case insensitive so in your code you could use X-NhoST-AuTh-ElevaTed
and it should work just fine.
The idea is to provide
/elevate/webauthn
and/elevate/webauthn/verify
endpoints that work exactly like their/signin
equivalents with the following differences:X-Nhost-Auth-Elevated: user-uuid
The idea is to allow users to add an extra security step to allow performing certain operations. For instance, a user could:
X-Nhost-Auth-Elevated: user-uuid
to update/deleteBefore submitting this PR:
Checklist
Breaking changes
Avoid breaking changes and regressions. If you feel it is unavoidable, make it explicit in your PR comment so we can review it and see how to handle it.
Tests
make test
or themake watch
command).Documentation
Please make sure the documentation is updated accordingly, in particular: