Send GraphQL Requests to Hasura from Netlify Serverless Functions using node-fetch

Share this video with your friends

Send Tweet

We'll create a helper function to send GraphQL requests to Hasura from our serverless functions using node-fetch and passing the X-Hasura-Admin-Secret in the header of the request.

Hasura is configured with an admin password that we set in the previous lesson. When making an API request the client passes the admin password in the header X-Hasura-Admin-Secret. Then Hasura validates the admin secret and allows access to all resources.

The secret is called admin-secret since the admin ****role is used to execute the request i.e the caller will have permissions to create/update/delete/view any data that is there.

Ron
Ron
~ 3 years ago

Hi, thanks for your course.

I have one question, is it normal call hasura through serverless functions, I mean why not just let frontend call hasura directly?

Jason Lengstorf
Jason Lengstorf(instructor)
~ 3 years ago

@Ron because we need to send the X-Hasura-Admin-Secret header, we can't put it directly in the client-side code or someone could find the key in the source code. Serverless functions let us keep secret keys private because the source can't be accessed.

Ron
Ron
~ 3 years ago

@jason Thanks for your reply. It makes sense we should hide Admin-Secret.

But by doing that, can we still achieve Subscription provided by Hasura, which is the major point of 3Factor practice?

Also can still expose the graphql to frontend by depending on the Authentication/Authorisation Hasura provides?

Thank you, Ron

Jason Lengstorf
Jason Lengstorf(instructor)
~ 3 years ago

@Ron for subscriptions and read-only access, I set up permissions so that someone unauthenticated can read certain data, but not change anything

those requests can be made without the admin secret, so it's safe to send them from the client side (for subscriptions, using something like Apollo or urql)

here's an example of how I set up a subscription with Hasura and urql for my livestream: https://github.com/socket-studio/preact/blob/main/src/hooks.js — no admin secret required because permissions for that API are read-only

I hope that helps!