feat: apply defaults for customClaims

[xmlking]

Fixes #610

Before submitting this PR:

Checklist

• No breaking changes
• Tests pass
• New features have new tests
• Documentation is updated

Breaking changes

Avoid breaking changes and regressions. If you feel it is unavoidable, make it explicit in your PR comment so we can review it and see how to handle it.

Tests

• please make sure your changes pass the current tests (Use the make test or the make watch command).
• if you are introducing a new feature, please write as much tests as possible.

Documentation

Please make sure the documentation is updated accordingly, in particular:

• Workflows. Workflows are Mermaid sequence diagrams
• Schema. The schema in a Mermaid ER diagram
• Environment variables. Please adjust the .env.example file accordingly
• OpenApi specifications. We are using inline JSDoc annotations

[dbarrosop]

Would you mind testing and letting me know if it works? I applied a couple of patches that suggested that it didn't work

[xmlking]

Sure @dbarrosop is there a docker image published or , should I build myself ?

[dbarrosop]

Use the dev environment in this repo. Once we confirm this is working we can build a beta image. If you don't know how to start the environment you can start in make build-docker-image and make dev-env-up

[xmlking]

dev-env-up

with local built image, I am getting 404 error for any of the Auth APIs

e.g.,

 curl http://localhost:4000/v1/version
 
{"status":404,"message":"Route not found","error":"route-not-found"}

[dbarrosop]

Try without /v1

[xmlking]

not working

curl https://local.auth.local.nhost.run/version
404 page not found

[xmlking]

working with make dev-env-up, I can hit API without /v1
would nice if I can do e2e test with nhost up with my real config in nhost.toml

I guess nhost cli need to be updated to support CustomClaimsDefaults

[xmlking]

@dbarrosop need your help. I need to test with my local nhost.toml for testing custom claims defaults coming from my database schema.
It will be hard to reproduce with build/dev/docker/docker-compose.yaml in nhost/hasura-auth to simulate like my env.

So tried

1. Build auth image in my branch with make build-docker-image
2. Update my nhost/nhost.toml to use new image 0.0.0-dev and added CustomClaimsDefaults

[auth]
# version = '0.37.1'
version = '0.0.0-dev'

[[auth.session.accessToken.customClaims]]
key = 'default-org'
value = 'defaultOrg'

[[auth.session.accessToken.customClaims]]
key = 'allowed-orgs'
value = 'allowedOrgs.orgId[]'

[[auth.session.accessToken.customClaims]]
key = 'user-email'
value = 'email'

[[auth.session.accessToken.CustomClaimsDefaults]]
key = 'default-org'
value = '00000000-0000-0000-0000-000000000000'

3. Started stack normally with nhost up --apply-seeds to let it generate .nhost/docker-compose.yaml etc.
4. Edited generated .nhost/docker-compose.yaml file to add AUTH_JWT_CUSTOM_CLAIMS_DEFAULTS as nhost CLI not yet add this variable.

services:
    auth:
        image: nhost/hasura-auth:0.0.0-dev
        depends_on:
            graphql:
                condition: service_healthy
            postgres:
                condition: service_healthy
        environment:
            AUTH_API_PREFIX: /v1
            AUTH_CLIENT_URL: https://console.traefik.me:5173
            AUTH_JWT_CUSTOM_CLAIMS: '{"allowed-orgs":"allowedOrgs.orgId[]","default-org":"defaultOrg","user-email":"email"}'
            AUTH_JWT_CUSTOM_CLAIMS_DEFAULTS: '{"default-org":"00000000-0000-0000-0000-000000000000"}'
            AUTH_PORT: "4000"
            AUTH_SERVER_URL: https://local.auth.local.nhost.run/v1
            AUTH_SMTP_AUTH_METHOD: LOGIN
           ...

5. Restarted stack with docker compose --project-directory . -f .nhost/docker-compose.yaml -p spectacular up -d --wait --remove-orphans
6. In the auth server logs I see:

auth-1  | {"time":"2025-03-23T15:54:54.235071857Z","level":"INFO","msg":"auth v0.0.0-dev"}
auth-1  | {"time":"2025-03-23T15:54:54.235179732Z","level":"INFO","msg":"starting program","flags":{"api-prefix":"/v1","port":"4000","debug":{},"log-format-text":{},"postgres":"********","postgres-migrations":"********","node-server-path":"/nix/store/ch2cyq6y8ivkjv84gxxyxxvf6jk6dn3m-node-hasura-auth-hardcoded","disable-signup":{},"conceal-errors":{},"default-allowed-roles":{},"default-role":"user","default-locale":"en","allowed-locales":{},"disable-new-users":{},"gravatar-enabled":{},"gravatar-default":{"Enum":["blank","identicon","monsterid","wavatar","retro","robohash","mp","404"],"Default":"blank"},"gravatar-rating":{"Enum":["g","pg","r","x"],"Default":"g"},"refresh-token-expires-in":"********","access-tokens-expires-in":"********","hasura-graphql-jwt-secret":"********","email-verification-required":{},"smtp-host":"mailhog","smtp-port":1025,"smtp-secure":{},"smtp-user":"user","smtp-password":"********","smtp-sender":"[email protected]","smtp-api-header":"","smtp-auth-method":{"Enum":["LOGIN","PLAIN","CRAM-MD5"],"Default":"PLAIN"},"client-url":"https://console.traefik.me:5173","allow-redirect-urls":{},"server-url":"https://local.auth.local.nhost.run/v1","enable-change-env":{},"custom-claims":"{\"allowed-orgs\":\"allowedOrgs.orgId[]\",\"default-org\":\"defaultOrg\",\"user-email\":\"email\"}","graphql-url":"http://graphql:8080/v1/graphql","hasura-admin-secret":"********","password-min-length":"********","password-hibp-enabled":"********","templates-path":"/app/email-templates","block-email-domains":{},"block-emails":{},"allowed-email-domains":{},"allowed-emails":{},"email-passwordless-enabled":"********","require-elevated-claim":{"Enum":["disabled","recommended","required"],"Default":"disabled"},"webauthn-enabled":{},"webauthn-rp-name":"Spectacular Console App","webauthn-rp-id":"","webauthn-rp-origins":{},"webauthn-attestation-timeout":60000,"rate-limit-enable":{},"rate-limit-global-burst":100,"rate-limit-global-interval":900000000000,"rate-limit-email-burst":10,"rate-limit-email-interval":3600000000000,"rate-limit-email-is-global":{},"rate-limit-sms-burst":10,"rate-limit-sms-interval":3600000000000,"rate-limit-brute-force-burst":10,"rate-limit-brute-force-interval":300000000000,"rate-limit-signups-burst":100,"rate-limit-signups-interval":300000000000,"rate-limit-memcache-server":"","rate-limit-memcache-prefix":"","turnstile-secret":"********","apple-audience":"","google-audience":"","otp-email-enabled":{},"help":{},"version":{}}}
auth-1  | {"level":"info","message":"Log level: info"}
auth-1  | {"level":"info","message":"Waiting for Hasura to be ready..."}
auth-1  | {"level":"info","message":"Hasura is ready"}
auth-1  | {"level":"info","message":"Applying SQL migrations..."}
auth-1  | {"level":"info","message":"SQL migrations applied"}
auth-1  | {"level":"info","message":"Applying metadata..."}
auth-1  | {"level":"info","message":"Metadata applied"}
auth-1  | {"level":"info","message":"Running on port 4001"}

7. In the logs, I was expecting to see custom-claims-defaults but don't see it.
8. Either https://local.auth.local.nhost.run/v1/version or https://local.auth.local.nhost.run/version return 404 error.

Please advise if I am doing something wrong.

[dbarrosop]

In the logs, I was expecting to see custom-claims-defaults but don't see it.
I also don't see such flag in this PR ;) I think you need to change coding agent, this one doesn't seem to be doing a good job :P search for any other flag constant and you will see what you are mising

Either https://local.auth.local.nhost.run/v1/version or https://local.auth.local.nhost.run/version return 404 error.

No idea, if you are just running that command with the docker compose generated by the CLI GET /v1/version should work. Based on the logs you shared I don't even see the request so make sure you don't have something else running that might be intercepting the request. Otherwise, curl -v output plus auth logs might give some clues

[xmlking]

1. As you suggested, I killed all docker processes and run it again. Now both curl and auth API working as expected.

2. I have the new flag: flagCustomClaimsDefaults in the PR:

[xmlking]

1. As you suggested, I killed all docker processes and run it again. Now both curl and auth API working as expected.

Sorry too early, I need to apply following schema changes that I used as workaround for setting user.default-org to uuid_nil(). I should not need workaround with this PR:
https://github.com/xmlking/spectacular/pull/350/files

Update:

Got JWT with PR

curl 'https://local.auth.local.nhost.run/v1/signin/email-password' \
  -H 'content-type: application/json' \
  --data-raw '{"email":"[email protected]","password":"xyz"}'

{
  "exp": 1742784794,
  "https://hasura.io/jwt/claims": {
    "x-hasura-allowed-orgs": "{}",
    "x-hasura-allowed-roles": [
      "user",
      "me"
    ],
    "x-hasura-default-org": "null",
    "x-hasura-default-role": "user",
    "x-hasura-user-email": "[email protected]",
    "x-hasura-user-id": "cf76daf5-1b6b-4b4c-8585-4ce5c55fb25b",
    "x-hasura-user-is-anonymous": "false"
  },
  "iat": 1742783894,
  "iss": "hasura-auth",
  "sub": "cf76daf5-1b6b-4b4c-8585-4ce5c55fb25b"
}

Still debugging why the PR not setting x-hasura-default-org to 00000000-0000-0000-0000-000000000000

[dbarrosop]

You don't have the flag configured, you have a constant defined but there is no flag defined. Proof of that is that it doesn't show during the initialization process.

[xmlking]

You don't have the flag configured, you have a constant defined but there is no flag defined. Proof of that is that it doesn't show during the initialization process.

Thanks @dbarrosop fixed it. Also has to check nil and fill with default in ExtractClaims()

if got == nil {
	claims[name] = c.defaultOrNil(name)
} else {
	claims[name] = got
}

[dbarrosop]

unfortunately looks like tests for the older node code are not passing : (

[dbarrosop]

Thanks, everything looks green. I will try to find some time to review and test a bit more thoroughly. The next 2-3 weeks are a bit packed for us but I will try to squeeze some time.

[dbarrosop]

Just wanted to let you know I haven't forgotten about this but due to easter and other priorities I haven't had the time yet, sorry.

[xmlking]

Understood , noticed you are working on many commits.

[dbarrosop]

Hello,
thanks, I think you tried to rebase but somehow it didn't go well as it is showing commits and changes unrelated to your PR. If it's easier feel free to just close the PR and open a new one (been there, done that millions of times)

Thanks for your patience.

Regards

[xmlking]

Hello, thanks, I think you tried to rebase but somehow it didn't go well as it is showing commits and changes unrelated to your PR. If it's easier feel free to just close the PR and open a new one (been there, done that millions of times)

Thanks for your patience.

Regards

sure. will do next week. Thanks