Unable to delete file with storage.delete() using authorization header
eekrain opened this issue · 4 comments
I am trying to delete file using storage.delete() from nhost-js package. I am noticing that i couldn't delete file with fileId i wanted to delete, with error 403 "you are not authorized", even with Authorization header with access token in it. So i am trying DELETE method with http client with the url "http://localhost:1337/v1/storage/files/fileId", and im still getting 403 error. But then i tried using x-hasura-admin-secret header and i succesfully deleted the file.
GET file with authorization header:
DELETE file using authorization header:
DELETE with x-hasura-admin-secret header:
Permission on files table, this access token has administrator role:
Nhost CLI im using : latest v0.6.10
Works for me:
curl -v -X DELETE http://localhost:8000/v1/storage/files/55af1e60-0f28-454e-885e-ea6aab2bb288 -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NTMyODY4NDMsImh0dHBzOi8vaGFzdXJhLmlvL2p3dC9jbGFpbXMiOnsieC1oYXN1cmEtYWxsb3dlZC1yb2xlcyI6WyJhZG1pbiJdLCJ4LWhhc3VyYS1kZWZhdWx0LXJvbGUiOiJhZG1pbiIsIngtaGFzdXJhLXVzZXItaWQiOiJhYjViYTU4ZS05MzJhLTQwZGMtODdlOC03MzM5OTg3OTRlYzIiLCJ4LWhhc3VyYS11c2VyLWlzQW5vbnltb3VzIjoiZmFsc2UifSwiaWF0IjoxNjUzMjg1OTQzLCJpc3MiOiJoYXN1cmEtYXV0aCIsInN1YiI6ImFiNWJhNThlLTkzMmEtNDBkYy04N2U4LTczMzk5ODc5NGVjMiJ9.TtzjqVYT0pWoi8BiZRRY_6z-W9lZ7u8j2s4stpI3l4s'
* Trying 127.0.0.1:8000...
* Connected to localhost (127.0.0.1) port 8000 (#0)
> DELETE /v1/storage/files/55af1e60-0f28-454e-885e-ea6aab2bb288 HTTP/1.1
> Host: localhost:8000
> User-Agent: curl/7.79.1
> Accept: */*
> Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NTMyODY4NDMsImh0dHBzOi8vaGFzdXJhLmlvL2p3dC9jbGFpbXMiOnsieC1oYXN1cmEtYWxsb3dlZC1yb2xlcyI6WyJhZG1pbiJdLCJ4LWhhc3VyYS1kZWZhdWx0LXJvbGUiOiJhZG1pbiIsIngtaGFzdXJhLXVzZXItaWQiOiJhYjViYTU4ZS05MzJhLTQwZGMtODdlOC03MzM5OTg3OTRlYzIiLCJ4LWhhc3VyYS11c2VyLWlzQW5vbnltb3VzIjoiZmFsc2UifSwiaWF0IjoxNjUzMjg1OTQzLCJpc3MiOiJoYXN1cmEtYXV0aCIsInN1YiI6ImFiNWJhNThlLTkzMmEtNDBkYy04N2U4LTczMzk5ODc5NGVjMiJ9.TtzjqVYT0pWoi8BiZRRY_6z-W9lZ7u8j2s4stpI3l4s
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 204 No Content
< Content-Type: application/json; charset=utf-8
< Date: Mon, 23 May 2022 06:05:47 GMT
<
* Connection #0 to host localhost left intact
I suspect your token may not be correct, most likely your token isn't granting you the role you think it is granting you. Could you:
- Decode the token and share the payload? You can use this website to decode it: https://www.jstoolset.com/jwt
- Share the logs for hasura? (
docker logs nhost-hasura)
Thanks
Yo, sorry for late reply. This is my decoded jwt that i got from nhost.auth.getAccessToken():
{ "header":{ "alg":"HS256" }, "payload":{ "https://hasura.io/jwt/claims":{ "x-hasura-allowed-roles":[ "user", "me", "administrator" ], "x-hasura-default-role":"administrator", "x-hasura-user-id":"0e09fe10-7d69-48ba-90be-771fa569e52d", "x-hasura-user-is-anonymous":"false" }, "sub":"0e09fe10-7d69-48ba-90be-771fa569e52d", "iss":"hasura-auth", "iat":1654191822, "exp":1654192722 } }
As you can see, on the allowed roles this token belongs to administrator role, i even made it as the default role.
And then here is the logs from hasura graphql engine :
{"type":"http-log","timestamp":"2022-06-02T17:54:37.120+0000","level":"error","detail":{"operation":{"user_vars":{"x-hasura-role":"administrator","x-hasura-user-is-anonymous":"false","x-hasura-user-id":"0e09fe10-7d69-48ba-90be-771fa569e52d"},"error":{"path":"$.selectionSet.deleteFile.selectionSet.bucket","error":"field \"bucket\" not found in type: 'files'","code":"validation-failed"},"request_id":"0f665d3b-d481-4d77-9a29-4daad744647d","response_size":137,"query":{"variables":{"id":"87d394e0-8446-477f-8837-8b8696d3a065"},"query":"mutation ($id:uuid!){deleteFile(id: $id){id,name,size,bucketId,etag,createdAt,updatedAt,isUploaded,mimeType,uploadedByUserId,bucket{id,minUploadFileSize,maxUploadFileSize,presignedUrlsEnabled,downloadExpiration,createdAt,updatedAt,cacheControl}}}"},"request_mode":"error"},"request_id":"0f665d3b-d481-4d77-9a29-4daad744647d","http_info":{"status":200,"http_version":"HTTP/1.1","url":"/v1/graphql","ip":"127.0.0.1","method":"POST","content_encoding":null}}}
So the error was it failed when requesting bucket table, and im only giving permission on delete in storage.bucket table. Here is the permission on bucket:
After i gave the administrator role on select permission, it succeeded when deleting the file. I dont know the select permission on bucket table is needed when u want to delete some file, it's not in the docs, please put it in the docs. Thanks for the help, i think u can close this issue.
Ok, that issue was fixed and released. Can you try with 0.2.1? If you are using our cloud service you should have it already, similarly, if you are using our latest cli, you should have it as well (unless you are overriding the version).
For reference, #87
I am closing this one, if this is still an issue don't hesitate to reopen