Setup login page for Hasura Selfhosted

[blueoceans2002]

Hi,
I have setup a self hosted Hasura, however the login to console is via admin-secret.'

Is there a way to secure it via a login page?
Also is there a way to add more users to the console or is it a limitation for self hosted edition?

I am new to this and any help is highly appreciated.
Thanks

[adas98012]

@blueoceans2002
I am assuming you are using docker in your local environment. What version of Hasura GraphQL Engine are you using ?

[blueoceans2002]

Hi @adas98012 Yes you are right we are using docker Hasura [v2.16.1]
Thanks

[meetzaveri]

Hey @blueoceans2002

Best practices

We would recommend to disable console in production environment because of the lots of security reasons. We have written a production checklist here which describes best practices for securing your console and APIs. Link - https://hasura.io/docs/latest/deployment/production-checklist/#disable-the-console

TLDR; you disable console by default everytime thereby hiding it from anyone on the internet to access it. If you/devs wanted to use console, then they can install Hasura CLI and by running hasura console they can access the console from CLI. The drawback here with CLI console would be, that it would automatically update your metadata/migrations, if you would perform any metadata or migration change via console.

Practical approach

For securing the console with login page

• You'll need to create a top level security layer upon which user will be granted access from login page for your main app , say your_app.com and they will redirect to your_app.com/login page if not logged in.
• For requests hitting to your_app.com/* main/root page (domain), you'll keep track of user sessions based on their login/logout.
• For console, you'll need to wrap it under a specific route say your_app.com/console and make it a "protected route" ( concept from react-router)
• If a user hits this console endpoint, you will check
• • A. Is user already logged in or not
• • B. If yes, then show console page with admin-secret form for user to enter credentials
• • C. If no, then redirect user to login page.

For adding collaborators

• You'll need to keep track of users who can access /console page. For that, you could have a DB table or field which would track "invited users" and check if incoming user is part of that invited users list. Based on that, grant the user permissions to access console or simply show them that "you are not authorized to access console " (if not invited).
• Similarly, for invitation,
• • add that user to "invited users" list
• • you send invitation email to that user's email

---

I hope this helps!