remote-graphql with a custom authorizer (hasura can't grab metadata)

[RoniFinTech2]

Hi,

My remote-schema is an AWS lambda graphql and I just added a custom authorizer.

I'm seeing this issue when I go to the admin dashboard on Hasura:

Everything works fine when I log in to my application and hit the remote-schema from there.

The problem is that when Hasura wants to get to the metadata of the remote-schema api, it doesn't have the JWT token...
Is there a way to overcome this?

[meetzaveri]

Hey @RoniFinTech2

Problem

This remote schema doesn't get exposed over API explorer in Hasura console because of missing token/secret for custom authorizer. Which is totally fair as you would not like to pass or hard-code them via additional headers in remote schema configuration.

Github Issue and Drawbacks

We have been tracking this as a feature request here - #4890 since a long time.

This GH issue has been open because of couple of potential drawbacks

• This additional header will be sent with every request so you'll have to be careful to validate the token too if available.
• The client cannot override the value of this header so use some header that is not relevant to the client.

Even if you add Authorization header in remote schema additional headers, requests coming from client will be overridden with this Authorization header. Hence, this would prove fatal. Also, this raises security concern as any other clients can easily access the remote schema API too.

Stop gap solution:

If you add additional header, that header is also forwarded when introspection query is issued by Hasura. You can use some custom header (other than your Auth header) to configure a secret and validate that secret from your authorizer.