Elevated Permissions
19 February 2024
Sometimes we want to add an extra layer of security for specific bits of data or certain user workflows like changing a user email or resetting a password.
Elevated Permissions is a new feature from Nhost Auth that allows developers to require an extra validation step using a Security Key.
How does it work?
A new claim x-hasura-auth-elevated: $user-id is added to the access token of an already logged in user once the extra security challenge is passed and it will be available for as long as the access token is valid.
GraphQL API
x-hasura-auth-elevated can be used as a Permission Variable to define permissions on your GraphQL data and actions that require the extra security check. In the same way as we would use x-hasura-user-id.
Auth API
Some user information is changed through Auth's API rather then through GraphQL:
- changing passwords
- changing emails
- enabling or disabling MFA
- adding security keys
- creating PATs
You can add the extra check for these Auth endpoints and require the elevated claim by setting the following configuration:
_10[auth.elevatedPrivileges]_10 mode = 'required'
For more detailed information on Elevated Permissions you can read the documentation or check one of our examples.
Share this post
