KeyFromSecret gives me a permission denied

KeyFromSecret(
  "eyJhbGciO..."
)

Error: [
  {
    "position": [],
    "code": "permission denied",
    "description": "Insufficient privileges to perform the action."
  }
]

This is what I get when I use the webshell. On the website that I’m checking (KeyFromSecret - Fauna Documentation) it doesn’t mention any specific roles I need to be using. Could someone help me out? Thanks in advance.

Hi @karthikjn01 and welcome!

When you run that query in the web shell, what is the “Run Query As” selector set to?

I think that a query session authenticated with a token or secret without the admin role does not have permission to read a key with the admin role. If that’s the case, we’ll have to make a documentation update to state that.

One other possible scenario… have you tried logging into the same account from another browser? It could be that your Dashboard session is no longer authenticated because of another login. If that’s the case, login to the Dashboard again and retry your query.

One more nit: Your example secret starts with e. All Fauna secrets start with f. If you call KeyFromSecret with an invalid secret, you get an error like:

KeyFromSecret("invalid")

Error: [
  {
    "position": [],
    "code": "instance not found",
    "description": "No key found for secret invalid."
  }
]

Hi, cheers for the quick reply.

I’ve tried a bunch of roles including admin server and a couple of custom roles that I made with (absolutely) everything checked :joy:, no luck.

Also I’m using a JWT token that I created with Auth0.com (took the token from the app I’m working on in Flutter)

I’ve reproduced the problem. Even with the appropriate roles applied to the AccessProvider configuration, I get the “Insufficient privileges” error.

To me, this result makes some amount of sense. There is no key associated with the JWT.

The error message is a bit misleading, but even if you didn’t get the “Insufficient privileges” error, you’d get the “No key found” error.

Ah cheers, Ewan. I was wondering then, if this isn’t the way to verify an access token, how should I go about it? I’m planning on writing a function in python using cloud run to upload an image into Cloud Storage. What would be the correct/best way to go about doing this?

If the JWT/secret is valid, the query it accompanies should succeed. Otherwise, you’ll get an “Unauthorized” error.

You are welcome to run an innocuous query with a token, such as Now() (which accesses no data, but returns the current datetime only when the token is valid). However, tokens can be invalidated by a variety of means, especially for JWTs which have a built-in lifespan (according to the configuration in your identity provider). In practice, it doesn’t really help to execute a “is this valid” query and then assume that it remains valid for all subsequent queries.

Yep sorry let me clarify. On the mobile app which is working :ok_hand: I need to let a user (that has a valid token) upload an image to cloud storage. My plan was to write a cloud function (either using cloud run or app engine) that will verify whether the token (being passed with the image) is valid. Otherwise, anyone would be able to upload an image. The approach that made sense in my mind was to manage signing in/signing up using auth0.com then use fauna as the db then use gcp as the backend. On the cloud function I’d use KeyFromSecret(secret_from_client) to validate whether it’s a user that has registered with the app.

Here are my attempts at making KeyFromSecret work:

it looks like it works for “” but not for the actual secret that I’ve been given from auth0. :confused:
Is there any other way to validate a token?

Is there any other way to validate a token?

You can run a Now() query to tell whether Fauna accepts a JWT. However, you might have roles defined that control access to specific collections or documents, and running Now() won’t tell you whether a JWT can be used to run a query involving those roles without attempting to do so.

There’s not much value in a “is this valid” query. Run the query you would use to perform the image operation, assuming that the JWT is correct. If the JWT is invalid or the role restrictions prevent the query from completing successfully, you’ll get an error back. Then you can deal with the situation appropriately in your mobile app.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.