Get the authenticated user in a Serverless Function

[elitan]

When the user is signed-in and you make a function call the access token is automatically attached as a header.

// example call from browser
// if the user is signed-in, this request will automatically add the user's access token as a header
await nhost.functions.call('/some-function', { name: 'my name'});

You can use this header to get user information (like the user's id).

Here is a helper function getUser() that verifies the access token and returns information about the user.

export const getUser = (req: Request): User => {
  const auth = req.headers['authorization'];

  let token;
  try {
    token = auth.split(' ')[1];
  } catch (error) {
    return null;
  }

  const jwtSecret = JSON.parse(process.env.NHOST_JWT_SECRET);

  var decoded = jwt.verify(token, jwtSecret.key)[
    'https://hasura.io/jwt/claims'
  ] as UserHasuraClaims;

  const user = {
    id: decoded['x-hasura-user-id'],
    defaultRole: decoded['x-hasura-default-role'],
    allowedRoles: decoded['x-hasura-allowed-roles'],
  };

  return user;
};

And use getUser() like this:

import { Request, Response } from 'express';

import { gqlSDK } from './utils/gql-sdk';
import { getUser, stripe } from './utils/utils';

const handler = async (req: Request, res: Response) => {

  // enable CORS
  res.setHeader('Access-Control-Allow-Credentials', 'true');
  res.setHeader('Access-Control-Allow-Origin', '*');
  res.setHeader('Access-Control-Allow-Headers', '*');
  res.setHeader('Access-Control-Allow-Methods', '*');

  // enable CORS and send back empty data on OPTIONS request
  if (req.method === 'OPTIONS') {
    console.log('request is OPTIONS, allow all');
    return res.status(204).send();
  }

  // get user information
  const user = getUser(req);

  // rest of your code
};

export default handler;

You can trust this information to be correct since we've verified the access token with the NHOST_JWT_SECRET.

[wollerman]

If we want to call the function by adding a Hasura action so that everything flows through the graph, is there a way to receive the same user authorization header automatically?

From what I've tried, using a Hasura action to call a function acts as an unauthenticated call. The database event trigger documentation specifies that the NHOST_WEBHOOK_SECRET env var is available and hasura will send session variables, but those don't give us a logged in user to follow.

It would be great to just have the authorization header, but it seems like an action handler doesn't have access to this.

[dionjwa]

Yes, it would be great to whitelist function permissions via hasura roles.

[dbarrosop]

is there a way to receive the same user authorization header automatically?

Did you enable Forward client headers to webhook? That should send the Auhtorization header so decoding it would give you all the user information you need.

Yes, it would be great to whitelist function permissions via hasura roles

Could you elaborate? This doesn't sound like the same issue @wollerman raised as that was about acting on behalf of the user (which actions should support). If you want to have different permissions for different lambda functions (i.e. by giving them different identities) this is something that should be possible soon thanks to this: nhost/hasura-auth#365

[wollerman]

@dbarrosop I thought I had, but after enabling and testing again I see the authorization header as described. Thanks for the pointer! This works for me 🎉