3.3 Hasura Auth API + Postman collection
Coming towards the end of third week, we will be looking at sessions, users and roles on Hasura. All these come under the auth section whereas 3.2 dealt with the data section. This is the link to 3.1 data modelling.
Hasura Auth provides an HTTP API for authentication and authorization of identities on the Hasura platform. This API can be consumed directly by frontend interfaces like mobile apps, browser-based apps, device apps as well as any server-side program. ~ https://hasura.io/_docs/auth/4.0/
In our app, we will be using our nodejs back-end to call these APIs and make custom end points for the front-end to call. So, to test the auth API, I thought of implementing basic functionalities like sign-up(using email verification), sign-in and sign-out. I am using POSTMAN to test the end points.
Quick note: auth is a very important concept! Since we know that HTTP is a stateless protocol, i.e. transaction information between server and client is lost as soon as it ends; to recognise the client, the server uses a auth token which is added as a cookie (Cookie is something which the browser remembers to send with each request). It is also called session id and is deleted once the user logs out. Session id is a very critical piece of information and may cause session hijacking.
For email verification, we will be using SparkPost, the only email verification service supported by Hasura as of now. This vendor provides us with one lac emails per month for free and is easy to use! More information on using SparkPost can be found in their docs page. I have integrated my domain semicolonlabs.co with SparkPost to send custom verification mails!
Let us see how it works by creating a test-user. I will be using my gmail account for verification.
Referring to the docs, we go to auth.<project>.hasura.me/email/confirm?token=<token>!
We will sign in with the account we just created!
We see that we receive a auth token which we’ll use for requests further!
To receive information about user, we make a call to auth.<project>.hasura.me/user/account/info! We have to add the previously obtained authorisation bearer token in header!
Our final API request is a sign-out request. We make GET request to auth.<project>.hasura.me/user/logout!
Moving to week four, we will be finally starting with our app’s first screen! Stay tuned for updates!
PS, link to POSTMAN collection is this.