I'm looking for suggestions to implement a share-link auth pattern with Nhost Storage/Auth. I need to be able to grant access to data and files to unauthenticated users but *only* if they have a share link (I think this is a pretty common access control pattern). So if I have link ID 12345, I should be able to access certain tables and files as an unauthenticated user. Previously, I was using a custom header sent with the `public` role, e.g. X-Hasura-Link-Id and limiting access using Hasura permissions since Hasura does support arbitrary custom headers as long as a JWT is not being sent at the same time.
Last active 4 months ago
3 replies
13 views
- SH
I'm looking for suggestions to implement a share-link auth pattern with Nhost Storage/Auth. I need to be able to grant access to data and files to unauthenticated users but only if they have a share link (I think this is a pretty common access control pattern).
So if I have link ID 12345, I should be able to access certain tables and files as an unauthenticated user. Previously, I was using a custom header sent with the
publicrole, e.g. X-Hasura-Link-Id and limiting access using Hasura permissions since Hasura does support arbitrary custom headers as long as a JWT is not being sent at the same time. - SH
This continues to work with Nhost for
/graphqlqueries, but it doesn't quite work with Nhost Storage. I would need to be able to send my custom headers to Nhost Storage API, which doesn't currently support custom headers (the allowed headers are hard coded so there are CORS issues in the browser). Even if/when Nhost storage did support custom headers, though, I would end up having to send my X-Hasura-Link-Id to every single request to getPublicUrl in order for the storage API to do its file permission check (because there is a single storage.files table so including a custom variable in the Hasura permissions on the public role would then require the X-Hasura-Link-Id to be sent always even if the variable is only used in a few clauses of the permissions). This is pretty impractical especially because the public URL is often used directly as asrcelement in the browser and there is no access to be able to send headers.Are there any workarounds for this? The only other thing I can think of is trying to create JWT and send explicit custom claims for X-Hasura-Link-Id and setting that JWT each time, but it looks like Nhost enforces that the any custom claims have to originate specifically from the user object, and besides, these are not actually users that I want to create and save in my DB. These are unauthenticated visitors that I want to be able to have access to limited data based on a link ID.
Any thoughts on how I could implement this within Nhost would be really appreciated!
- DA
If I am not mistaken this has been discussed here; https://discord.com/channels/552499021260914688/1040392743299588156/1040918625286107177
otherwise let us know
Last active 4 months ago
3 replies
13 views