I am using Google Cloud Workflows to call a BigQuery stored procedure and am using the http.post function in order to do so by calling the bigquery API:
- postCallMyStoredProc:
call: http.post
args:
url: https://bigquery.googleapis.com/bigquery/v2/projects/myproject/jobs
body: {
"configuration": {
"query": {
"query": "call mydataset.my-stored-procedure()",
"useLegacySql": false
}
}
}
auth:
type: OAuth2
I am interested to know what information can be supplied for the auth argument, the documentation at https://cloud.google.com/workflows/docs/reference/stdlib/http/post is rather lacking in this regard. All it states is:
auth : Optional authentication properties. If present, must be a dictionary, with type attribute in ["OIDC", "OAuth2"].
It doesn't tell me in what circumstance each of those options (OIDC or OAuth2) should be used.
My reason for asking is that the stored procedure is getting executed as the service account that my workflow is running as - which makes complete sense of course. I would like to know if there is a way to specify a different service account for my postCallMyStoredProc step using the auth argument?
Upon reading https://cloud.google.com/workflows/docs/authentication#making_authenticated_requests it seems that the answer to my question is “no”.
Related
I am new to Amplify Datastore & AppSync w/ GraphQL, but in Firestore, you can write an auth rule like: allow delete: if request.auth != null && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true [https://firebase.google.com/docs/firestore/security/rules-conditions#access_other_documents] -> which would grab the document at /users/{id}/ and I can access the admin field to write a security rule logic.
How do you do the same in a Lambda function resolver?
I am aware that the solution may involve a Lambda resolver (https://stackoverflow.com/a/68581796/9824103) but I cannot find any reference to reading a specific document and doing logic to authorize or deny an operation based on a field value in a document. I am only asking how to do this specific thing. Thank you!
I followed https://docs.amplify.aws/cli/graphql/authorization-rules/#custom-authorization-rule to create a custom authorization rule via adding the #rule directive: type MyModel #model #auth(rules: [{ allow: custom }]) and.. although the lambda function isn't really getting called when I try to write a listMyModel or createMyModel (any hints as to why that would be great), I am focused on writing the lambda function to read query a document and check a certain field to meet my custom auth condition.
fyi, I am using Flutter based amplify-cli.
I can't figure out how I can create a custom supabase url to recover the password:
current url in the mail:
https://url.supabase.co/auth/v1/verify?token=XYZ&type=recovery&redirect_to=https://example.vercel.app/
expected url:
https://url.supabase.co/auth/v1/verify?token=XYZ&type=recovery&redirect_to=https://example.vercel.app/recover
approaches:
Use supabase config
I just tried out to add the https:example.../recover url inside the Additional redirect URLs-Settings.
Seems that redirectTo works only for auth.signIn()
Got an error if I pass it to the auth.api.resetPasswordForEmail(), like: `await supabase.auth.api.resetPasswordForEmail({ email }, { redirectTo: 'http://localhost:3000/recover' })
error:
Could not read verification params: json: cannot unmarshal object into Go struct field RecoverParams.email of type string
use onAuthStateChange
I can see the current user state after clicking the reset password link in the email
But I can't redirect the user. The event logs a SIGNED_IN and then a PASSWORD_RECOVERY event, like discussed in this thread
use a middleware
I am trying to use a middleware to redirect the user based on the full path of the url, but my url ends with https://example.vercel.app/ and so I got no indication of the recovery type
What would you suggest?
I am using Nuxt 3, Vercel and Supabase
Thanks for the question. Based on the documentation you should be able to use the redirectTo flag withresetPasswordForEmail as well.
Based on the docs you might want to try doing
supabase.auth.api.resetPasswordForEmail('myspecialemail#supabase.com', { redirectTo: 'https://myspecialwebsite/redirect' })
rather than
supabase.auth.api.resetPasswordForEmail({ email }, { redirectTo: 'http://localhost:3000/recover' })
The key difference here is that email is passed in as a string param rather than an object -- it might be clearer if you refer directly to the source
I'm not sure of the exact use case but you can also take a look at generating a custom link via the admin endpoint
Hope this helps in some way
I am trying to figure out how to write a query in Apollo GraphQL.
I have a schema and have run the application in development mode. I have authenticated through the front end.
I expect that I should be able to follow this documentation and query the user.
I can see from the studio, that the Me query should be capable of checking for my first name (which I can see is recorded in the database), but when I press run in Apollo Studio, I get a null response to the query.
Is there an assumed step to get this working that needs to be taken before queries can be run? It gets worse when I try to do a query on the users table generally. That returns a not authenticated error (I have authenticated in the local environment in the dev app).
I'm struggling to connect the dots between the documentation that shows how this is expected to run queries and the starting point. I suspect that these documents have been prepared with the expectation that users know something fundamental about how to engage with them. I'm looking for disclosure as to what those assumptions might be. I can see from this question that there is a need for an authorisation header, (although my error is to do with authentication rather than authorisation). However, in my studio, the headers tab is empty. How do I populate it and what do I use to populate it?
I can see from the Apollo dev tool that it is trying to use a logged in query. I don't understand what drives this query in the Apollo Studio. Inside the localhost web app (which is running), I am logged in. When I try and run that query in the dev tools, the isLoggedIn (name of the query) is underlined, with an error explanation appearing that says:
Cannot query field "isLoggedIn" on type "Query".
The response shows:
{
"data": {}
}
I am lost for a starting point to find something to try and solve.
I think, based on a comment in this Odyssey tutorial, that the sandbox does not know how to connect to my psql data (not sure about this, but how could it know what queries I have, and not know which data has been stored in the attributes on the schema?). My env variables include my psql attributes and my prisma migrate is up to date. How can I let the sandbox know where the data is stored?
I am trying to learn using this boilerplate repo.
For my next attempt, I tried using the login mutation to generate a token, that I could try adding to the header. I don't know if it needs to be added under the name 'authorization' or 'token', so I made headers with both attribute names and added the same token to each of them.
I tried running the me and user query again, and get a mouthful of gibberish in the response.
The link in the response text goes to a page that has the following error message:
> <Error> <Code>NoSuchKey</Code> <Message>The specified key does not
> exist.</Message> </Error>
When I try going through the process of adding an APOLLO_KEY to my env variables and starting the server, I get an error that says "Unable to reach server". When I run the diagnose script on that error, I get:
Could not find any problems with the endpoint. Would you please to let
us know about this at explorer-feedback#apollographql.com 🙏
I created a new api key and tried again and am able to connect. I am able to run a login mutation and can return my first name inside that mutation, but I cannot do it from the me or user query - those queries still return the unauthenticated error response.
I have tried adding the authorization token to the header field both with and without "", and I have tried labelling that attribute as each of authorization, Authorization, token and then each of those inside "". None of them seems to make any difference to whether I can run a query. How can I find the name of the header token that Apollo Studio Explorer will accept?
I also tried the syntax suggested in this post, which is key Authorization and value "Bearer token" (there are double quotation marks around that string and a space between the word Bearer (capitalised) and the token string). There are no curly braces. That doesn't work either.
I have also tried expressing it as shown in this page of the Apollo documentation, which I think means that the key of the header value should be Authorization and the value should be the word Bearer, immediately followed by the token string generated in the output of the Login migration, inside {{ }}. When I try this, I get the same response as each of the other attempts described above.
There is a difference in the responses though, I get an unauthenticated response on the user query, and a null response on the me query.
One final strange observation: the studio returns the above error and null responses, but if I use the apollo client dev tools in the browser console, I can run the same Me query and get the result.
The user query still returns an unauthenticated error when I run it in the dev tools.
I'd also note that I can ask for the firstName attribute, inside the Login mutation, and receive them back in that response. However, I can't access them inside a Me query itself.
The next thing I investigated was how the resolver was managing the data. The boilerplate includes a resolver with:
import { AuthenticationError } from "apollo-server-express"
import { createMethodDecorator } from "type-graphql"
import { ResolverContext } from "../resolverContext"
export function UseAuth(roles?: string[]): any {
return createMethodDecorator<ResolverContext>(async ({ context: { req } }, next) => {
const argRoles = roles || []
if (req?.currentUser) {
if (argRoles.length === 0) return next()
if (argRoles.includes(req.currentUser.role)) return next()
throw new AuthenticationError("Not authorized")
} else {
throw new AuthenticationError("Not authenticated")
}
})
}
I wondered if maybe the role wasn't being considered. But I can see that it is inside the login mutation, but is not in a query.
Is there a 'for dummies' guide to getting started with apollo graphql?
I hope this spares someone some angst.
The format that works in Apollo Studio Explorer is
Key: Authorization
Value: Bearer[space][token]
There are no curly braces and no quotation marks in any of this. See this post for more discussion about this.
We're running into an error with a specific Graph API endpoint, so any help or advice here is appreciated!
Problem:
We're seeing unexpected HTTP 400 errors on calls to fetch specific users' inbox rules, with code AuthenticationError.
Request:
https://graph.microsoft.com/v1.0/users/<USER_ID>/mailFolders/inbox/messageRules
Response:
{
"error": {
"code":"AuthenticationError",
"message":"Error authenticating with resource",
"innerError": {
"request-id":"44bbcef3-b8cd-4da0-978e-99955e55f3a7",
"date":"2020-05-19T14:55:52"
}
}
}
Note that we're only calling this method for non-external users where userType is member and onPremisesSyncEnabled is null. We're also supplying each user's ID as a parameter, rather than their user principal name.
Also - this example was pulled from our application, which is able to make calls to other Graph API endpoints without issue, including calls to fetch Users, Groups, Domains/Organizations, etc. This method does work for most of our clients but is failing in a few particular cases.
Here is a list of application scopes granted for the client:
AccessReview.Read.All
AuditLog.Read.All
Contacts.Read
Directory.Read.All
EduAdministration.Read.All
Group.Read.All
IdentityRiskEvent.Read.All
IdentityRiskyUser.Read.All
MailboxSettings.Read
Member.Read.Hidden
ProgramControl.Read.All
Reports.Read.All
SecurityEvents.Read.All
Sites.Read.All
User.Read.All
If there's any additional information we can provide to make this easier to troubleshoot, just let me know.
Thanks!
I'm building a simple platform using graphql as api gateway and a frontend that send some queries to this api, I'm blocked on how can I validate a query before run it to avoid malicious query to be ran. I was thinking to use persistgraphql but I just noticed that is now archived so I'm not sure if it's a good idea to use it, the second problem is that the api and the frontend are in 2 different repo so I didn't find yet a solution to whitelisting the query in the frontend and use this whitelist in the api...what's the best solution to whitelist a query with graphql?
If your concern is limiting access to certain fields based on who is making the request, then you should implement some kind of authorization strategy. You can populate the context with information about the logged in user and then use this information inside your resolvers for the fields you want to protect to determine whether the value of the field should be returned or not.
const resolvers = {
User: {
somePrivateField: (user, args, ctx) => {
// Make sure the request is from a logged in user and the user making the
// request is the same as the requested user OR the user is an admin
if (ctx.user && ( ctx.user.id === user.id || ctx.user.isAdmin )) {
return user.somePrivateField
}
// throw an error or just return null or undefined to resolve the field to
// null in the event authorization fails
}
}
}
More sophisticated strategies are possible using directives or existing libraries like graphql-shield.
Of course, certain fields that may exist on your database model -- like passwords -- should probably never be exposed in your API in the first place.