We'll create a helper function to send GraphQL requests to Hasura from our serverless
functions using node-fetch
and passing the X-Hasura-Admin-Secret
in the header of the request.
Hasura is configured with an admin password that we set in the previous lesson. When making an API request the client passes the admin password in the header X-Hasura-Admin-Secret
. Then Hasura validates the admin secret and allows access to all resources.
The secret is called admin-secret
since the admin
****role is used to execute the request i.e the caller will have permissions to create/update/delete/view any data that is there.
Hi, thanks for your course.
I have one question, is it normal call hasura through serverless functions, I mean why not just let frontend call hasura directly?
@Ron because we need to send the X-Hasura-Admin-Secret
header, we can't put it directly in the client-side code or someone could find the key in the source code. Serverless functions let us keep secret keys private because the source can't be accessed.
@jason Thanks for your reply. It makes sense we should hide Admin-Secret
.
But by doing that, can we still achieve Subscription
provided by Hasura, which is the major point of 3Factor practice?
Also can still expose the graphql to frontend by depending on the Authentication/Authorisation Hasura provides?
Thank you, Ron
@Ron for subscriptions and read-only access, I set up permissions so that someone unauthenticated can read certain data, but not change anything
those requests can be made without the admin secret, so it's safe to send them from the client side (for subscriptions, using something like Apollo or urql)
here's an example of how I set up a subscription with Hasura and urql for my livestream: https://github.com/socket-studio/preact/blob/main/src/hooks.js — no admin secret required because permissions for that API are read-only
I hope that helps!