Async action security

[ste824]

The docs for async actions (https://hasura.io/docs/latest/graphql/core/actions/async-actions/) say that when you create an async action, Hasura will return the id of the action in the response and that you can use this to query or subscribe for the result.

My question is how do I secure these async action queries and subscriptions? Using the place_order example, say users needed the 'order' role to use 'place_order', and both users 'Joe Bloggs' and 'John Doe' had that role. If Joe called place_order and got the id '23b1c256-7aff-4b95-95bd-68220d9f93f2' back, he can happily subscribe to place_order and await a response.

Given John also has the role 'order', how do I stop him randomly trying different IDs in order to snoop on other people's orders? Elsewhere in Hasura I'd configure a row level permission on a table/view to stop John being able to get access to data that doesn't belong to him but I can't see that option for async actions?

Is it a probability based thing? i.e. there's a low chance John would guess a valid ID in the time before the async action logs were cleaned up? Not sure if I will be able to sell that to my information security team :-(

[aaronhayes]

Your action could just return the id of the order. Then use relationships with the order table, which is limited by permissions so random guess hacker won't be able to see order information anyway.

https://hasura.io/docs/latest/graphql/core/actions/action-relationships/