Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: added endpoint to "elevate" permissions using webauthn #451

Merged
merged 7 commits into from
Feb 2, 2024

Conversation

dbarrosop
Copy link
Member

@dbarrosop dbarrosop commented Nov 30, 2023

The idea is to provide /elevate/webauthn and /elevate/webauthn/verify endpoints that work exactly like their /signin equivalents with the following differences:

  1. Elevate requires a valid access token in the Authorization header matching the email triggering the challenge.
  2. The session returned includes the added claim X-Nhost-Auth-Elevated: user-uuid

The idea is to allow users to add an extra security step to allow performing certain operations. For instance, a user could:

  1. Allow the role user to select settings or view their profile.
  2. In addition require the custom claim X-Nhost-Auth-Elevated: user-uuid to update/delete

Before submitting this PR:

Checklist

  • No breaking changes
  • Tests pass
  • New features have new tests
  • Documentation is updated

Breaking changes

Avoid breaking changes and regressions. If you feel it is unavoidable, make it explicit in your PR comment so we can review it and see how to handle it.

Tests

  • please make sure your changes pass the current tests (Use the make test or the make watch command).
  • if you are introducing a new feature, please write as much tests as possible.

Documentation

Please make sure the documentation is updated accordingly, in particular:

Copy link

changeset-bot bot commented Nov 30, 2023

🦋 Changeset detected

Latest commit: 0c2ff8b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
hasura-auth Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

src/routes/elevate/index.ts Dismissed Show dismissed Hide dismissed
src/routes/elevate/index.ts Dismissed Show dismissed Hide dismissed
userId: user.id,
checkMFA: false,
extraClaims: {
[`x-nhost-auth-elevated`]: true,
Copy link

@fungilation fungilation Nov 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of setting to true, set to user.id so it can be used in hasura permissions to match against the user

and SnakeCasing please to match default headers such as X-Hasura-User-Id. Unless that would already be for the claim added to headers

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of setting to true, set to user.id so it can be used in hasura permissions to match against the user

Good idea.

and SnakeCasing please to match default headers such as X-Hasura-User-Id. Unless that would already be for the claim added to headers

HTTP headers are case insensitive so in your code you could use X-NhoST-AuTh-ElevaTed and it should work just fine.

@onehassan onehassan marked this pull request as ready for review February 2, 2024 18:17
src/validation/fields.ts Dismissed Show dismissed Hide dismissed
@onehassan onehassan self-assigned this Feb 2, 2024
@dbarrosop dbarrosop merged commit 93abd35 into main Feb 2, 2024
4 checks passed
@dbarrosop dbarrosop deleted the elevate branch February 2, 2024 18:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants