Hasura_Graphql_Auth_Hook Custom Http Headers from Auth Endpoint are not forwarded to Response via Ngnix

[geeksquad87]

I configured a NodeJs based simple POST Rest API as Authentication Endpoint for Hasura_Graphql_Auth_Hook . In my Auth WebHook endpoint, I am adding a custom header after validating the Authorization header received from original GraphQl Request. (Works fine)
After Authenticating, I am setting a Custom header using (Express).Response.setHeader("MyCustomHeader","MyCustomValue") to the response headers. If I run the POST Authentication Endpoint directly from Postman, I can see the Custom Header in the Response correctly.
However when I run the Hasura Engine GraphQL POST Endpoint configured with POST HTTP Auth Endpoint as Hasura_Graphql_Auth_Hook , the custom header added in the Authentication Endpoint is not received in the final response. I am using Envoy for reverse proxy. I had added logging in Envoy, and I do not see Custom Header in the Envoy Http Filters either.

Any help please ? My end goal is, based on this Custom Header from Auth Web Hook, I want to change the status code in the Final Response using Envoy.

[geeksquad87]

Hasura GraphQl Version 2.7.0

[dsandip]

@geeksquad87 From the docs,

If the Set-Cookie headers are set by the auth webhook, they are forwarded by the GraphQL Engine as response headers for both GET/POST request methods.

This is the exception to the rule that other headers are discarded. I am going to convert this discussion into an issue for our Product team to triage as a feature request. Meanwhile is using the set-cookie header as a workaround going to work for you (Envoy checks if there's a cookie, changes the status code, removes the set-cookie header)?

[geeksquad87]

I opened this issue, but haven't seen any assignee ?
#8803

Are you suggesting to use set a cookie instead of a custom header in the Auth Web-hook ? I will try that and see. Thanks for the response.

[geeksquad87]

I tried using Set-Cookie in Auth Web hook Endpoint, I think this isn't working either.

This is the webhook log I receive in my Envoy from Hasura Engine

{"type":"webhook-log","timestamp":"2022-08-23T20:33:43.478+0000","level":"error","detail":{"response":null,"url":"https:///api/v3/authentication/webhook","method":"POST","http_error":{"type":"http_exception","message":"Internal Exception","request":{"secure":true,"path":"/api/v3/authentication/webhook","responseTimeout":"ResponseTimeoutDefault","queryString":"","method":"POST","requestHeaders":{"Content-Type":"application/json","User-Agent":"hasura-graphql-engine/v2.7.0"},"host":"10.28.126.167","port":9001}},"message":null,"status_code":null}}
{"type":"http-log","timestamp":"2022-08-23T20:33:43.478+0000","level":"error","detail":{"operation":{"error":{"path":"$","error":"webhook authentication request failed","code":"unexpected"},"request_id":"005ca7b4-160e-4473-b968-c827855b90b9","response_size":80,"request_mode":"error"},"request_id":"005ca7b4-160e-4473-b968-c827855b90b9","http_info":{"status":200,"http_version":"HTTP/2.0","url":"/v1/graphql","ip":"172.17.0.1","method":"POST","content_encoding":null}}}

Auth Webhook Code:
res.cookie("cookiename", "cookievalue");

Actual Response from Auth Web hook API returns Set-Cookie, but the headers are not returned in the Hasura Graphql Response intercepted in Reverse Proxy (Envoy)

[geeksquad87]

Is there any alternate approach ?