Volume 1: Hasura Todo API - Project started!!!
Database setup, Creating tables and relationships, and Hasura roles and permissions
Recap
In the previous volume we discuss what Todo API is and how it solves development problems encountered by non-full-stack or backend developers.
I strongly you read the previous volume before this one.
Continuetion
Now, in this volume, we gonna exploring Hasura users' permissions. log in to Hasura account and create a new project. Give it a name, in my place, I name it hasura-todo-api, and leave the following as default, see below
Signing up to Hasura
Now, let's go to the console and connect to a database.
Creating tables on the database
I have connected to Heroku databases, after connecting, now let's create all the tables on the database, app_api, users and todos like this
and users table
then follow by todos
Tables Relationships
In this section, we will going to explore primary and foriegn keys. According to Hasura docs, Relationships enable you to make nested object queries if the tables/views in your database are connected.
We also have two types of relationships, Object, and Array relationships, visit here for more details.
In app_api table, we are going to add a new Array relationship (foreing key) that make app_api_id field in the users table to match id in the users table.
From the users table, we are also going to add an Object relationship that makes app_api_id equal to id in the app_id field.
Also in the users table, we are going to add an Array relationship that makes user_id in the todos table equal to id in the users table.
Then lastly, in todos table, we are going to add a new Object relationship that makes user_id in todos table to match id of the todos table.
See the pictures below.
This one ๐
this ๐
And this ๐
Queries and Mutations
After the relationship is set up properly, you can now query the app_api, users and it todo and vise verser like this
query {
todos {
title
user {
name
app_api {
app_name
}
}
}
}
the output will be this
{
"data": {
"todos": [
{
"title": "my first todo",
"user": {
"name": "john doe",
"app_api": {
"app_name": "todo-api"
}
}
}
]
}
}
Permissions
After relationships, then we move to permissions, choose who can access which data and who can not access which data.
Let's start from the todos table, we will create a new role called user and give it some permissions.
For the insert, check if user_id id is equal to X-Hasura-User-Id which is given to us by the Hasura, then allow user to access title, is_completed and user_id columns.
Then move to select todos, Allow role user to select rows With the same custom check as an insert.
Update! todos, Allow role user to update rows with the same custom check as an insert and select.
As well as delete todos, the permission will be the same as insert permission.
Further More!
Moving to the users table, we need the app_api to know the user, then we will same permission as we give for insert todos but now instead of user_id, we will use app_api_id and make it equal to X-Hasura-User-Id given to use by Hasura.
Same as select but allowing the user to toggle all rolls, see bellow
Same as update but allowing the user to toggle only name and email, see bellow
We don't allow user deletion at all, it is too risky, only the admin can do it.
API permissions
API permissions, for insert and delete the API provider will take care of the App insertion and deletions. For the select and update, it is all the same as the previous selects and updates
Recap
Let quickly recap what we've done so far!
- Hasura was installed and linked to the Postgres database and Heroku.
- Then we made some tables and experimented with GraphQL queries and modifications.
- We also established some connections between the todos, users, and app_api tables.
- Finally, for app security, we've put up some role-based permissions.
That is it for now, till we meet in volume 2
Always, you can follow me on Twitter at @mxhdiqaim, Github @Mahdi, and IG at @mxhdiqaim to see my progress. DMs are always open for work, friendship, and relationships :)