Skip to content

fix(cubejs): generate-models uses admin-secret Hasura calls, not the caller JWT#69

Merged
acmeguy merged 1 commit into
mainfrom
fix/generate-models-internal-hasura-auth
Jul 13, 2026
Merged

fix(cubejs): generate-models uses admin-secret Hasura calls, not the caller JWT#69
acmeguy merged 1 commit into
mainfrom
fix/generate-models-internal-hasura-auth

Conversation

@acmeguy

@acmeguy acmeguy commented Jul 13, 2026

Copy link
Copy Markdown

generateDataSchema forwarded the caller's original JWT to Hasura for its internal reads/writes. Externally-authenticated callers (WorkOS session tokens forwarded by cxs2) then fail with Could not verify JWT: JWSError JWSInvalidSignature — Hasura only verifies its own HS256 key, and the request was already authorized by checkAuth + defineUserScope.

Fix: use the admin-secret path for the internal findDataSchemas/createDataSchema calls, exactly like smartGenerate already does.

Surfaced by cxs2 spec 081 (US7b: connect Pagila → generate models → Tychi refine → dashboard); verified against the local stack.

🤖 Generated with Claude Code

…caller JWT

generateDataSchema forwarded the caller's original Authorization token to
Hasura for findDataSchemas/createDataSchema. Callers authenticated with an
externally-issued JWT (e.g. a WorkOS session forwarded by cxs2) then fail
with 'Could not verify JWT: JWSError JWSInvalidSignature' — Hasura only
verifies its own HS256 key. checkAuth + defineUserScope have already
authorized the request at that point; use the admin-secret path for the
internal calls, exactly like smartGenerate does ('the user's JWT may expire
during the long-running flow' precedent).

Surfaced by cxs2 spec 081 (Blue Car demo, US7b: connect Pagila → generate
models → dashboard).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@acmeguy acmeguy merged commit 06747f4 into main Jul 13, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant