Session middleware on the Hasura platform #HasuraPaaS

The session middleware is a component that ‘sits’ in front of your actual service. All requests that come from outside your cluster go through this middleware, are processed, and then reach your service.

The session middleware is built into the API gateway.

Almost every request, to any service, requires having a “session” i.e. an authenticated identity for the request (or the user). Cookies, Authorization headers, JWTs are different methods of exchanging session information.

Resolving the session token once and for all

Hasura’s session middleware that resolves a session into an identity for every incoming request. The identity is passed to the upstream service as injected HTTP headers.

Two headers : X-Hasura-Id and X-Hasura-Allowed-Roles are set by the API gateway and passed on to your service. This pair of headers identifies a user and the roles that the user has (the ID and the roles for the user were set when the user authenticated themselves).

Your code can then use a simple pattern to perform various tasks that the user was authorised to do, based on their ID and roles.

Standardising session management for your microservices

Hasura’s session middleware standardises your session management. You can handle identity concisely and uniformly across all services. This saves many lines of code and enforces neat abstractions across all your services.