A fully configured Hasura DDN project with Neon PostgreSQL and Neon Auth integration, featuring role-based access control and JWT authentication.
- β Hasura DDN v3 - Modern GraphQL API with supergraph architecture
- β Neon PostgreSQL - Serverless PostgreSQL database
- β Neon Auth Integration - JWT-based authentication with webhook
- β Role-Based Access Control - Admin, User, and Anonymous roles
- β Docker Compose Setup - All services containerized and ready to run
- β Production-Ready - Includes both development and production configurations
- Docker and Docker Compose installed
- Hasura DDN CLI (
ddn) installed and authenticated - Node.js 20+ (for local development)
- Access to a Neon PostgreSQL database
# Make sure you're in the project directory
cd /Users/danylodyachok/Dev/web/pidyom
# Start all services
ddn run docker-start
# Or use docker compose directly
docker compose up -d- Hasura Console: http://localhost:3280/graphql (or run
ddn console --local) - GraphQL API: http://localhost:3280/graphql
- Auth Webhook: http://localhost:3001
- Postgres Connector: http://localhost:8437
# Query as anonymous user (limited access)
curl -X POST http://localhost:3280/graphql \
-H "Content-Type: application/json" \
-d '{"query": "{ users { id name } }"}'
# Query as authenticated user (full access to own data)
curl -X POST http://localhost:3280/graphql \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-d '{"query": "{ users { id name email } }"}'- QUICK_START.md - Get up and running in 5 minutes
- NEON_AUTH_SETUP.md - Complete guide to setting up real Neon Auth
- NEON_AUTH_INTEGRATION.md - Detailed technical documentation
- examples/neon-auth-client.html - Full-featured frontend example
- examples/client-example.html - Simple integration example
- auth-webhook/README.md - Auth webhook service documentation
pidyom/
βββ app/ # Main application subgraph
β βββ connector/
β β βββ my_pg/ # Neon PostgreSQL connector
β βββ metadata/ # GraphQL schema and permissions
β βββ Users.hml # User model with permissions
β βββ InsertUsers.hml # Insert mutation
β βββ UpdateUsers.hml # Update mutation
β βββ DeleteUsers.hml # Delete mutation
βββ globals/ # Global configuration
β βββ metadata/
β βββ auth-config.hml # Authentication configuration
β βββ graphql-config.hml # GraphQL configuration
βββ auth-webhook/ # Authentication webhook service
β βββ index.js # Development version (no signature verification)
β βββ index.production.js # Production version (with JWT verification)
β βββ package.json # Node.js dependencies
β βββ Dockerfile # Docker configuration
βββ engine/ # Hasura engine build artifacts
βββ examples/ # Example code and demos
βββ scripts/ # Utility scripts
β βββ enable-production-auth.sh # Script to enable production auth
βββ compose.yaml # Docker Compose configuration
βββ supergraph.yaml # Supergraph configuration
βββ .env # Environment variables
The project is currently in development mode:
- Auth webhook validates JWT structure but doesn't verify signatures
- Suitable for local development and testing
- Uses demo JWT tokens
Anonymous (not authenticated)
- Can query users table
- Can only see:
id,namefields - No mutations allowed
User (authenticated)
- Can query users table
- Can only see their own record (filtered by
id = X-Hasura-User-Id) - Can see:
id,name,email,createdAt - Can perform mutations on their own data
Admin (authenticated with admin role)
- Full access to all data
- Can see all fields of all users
- Can perform all mutations
To enable real Neon Auth with JWT signature verification:
# Quick way (automated script)
./scripts/enable-production-auth.sh
# Or manual way
cd auth-webhook
npm install jose
# Update package.json to use index.production.js
# Configure environment variables
cd ..
docker compose build auth-webhook
docker compose restartSee NEON_AUTH_SETUP.md for detailed instructions.
# Start all services
ddn run docker-start
# OR
docker compose up -d
# Stop all services
docker compose down
# View logs
docker compose logs -f
# View specific service logs
docker compose logs -f auth-webhook
docker compose logs -f engine
# Restart a service
docker compose restart auth-webhook
docker compose restart engine
# Rebuild services
docker compose build
docker compose up -d# After changing your Neon database schema
ddn connector introspect my_pg
# Add new models
ddn model add my_pg "*"
# Add new commands (mutations)
ddn command add my_pg "*"
# Add relationships
ddn relationship add my_pg "*"Edit the relevant HML files in app/metadata/, then:
ddn supergraph build local
docker compose restart engineEdit globals/metadata/auth-config.hml, then:
ddn supergraph build local
docker compose restart engine# Test GraphQL API
curl -X POST http://localhost:3280/graphql \
-H "Content-Type: application/json" \
-d '{"query": "{ users { id name } }"}'
# Test auth webhook
curl -X POST http://localhost:3001/webhook \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_TOKEN" \
-d '{}'
# Open interactive console
ddn console --localnpm install @neondatabase/authimport { NeonAuth } from '@neondatabase/auth';
// Initialize Neon Auth
const auth = new NeonAuth({
projectId: 'your-neon-project-id',
// ... other config from Neon dashboard
});
// Sign in
const { token } = await auth.signIn({
email: 'user@example.com',
password: 'password123'
});
// Use token with Hasura
const response = await fetch('http://localhost:3280/graphql', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${token}`
},
body: JSON.stringify({
query: '{ users { id name email } }'
})
});
const data = await response.json();See examples/neon-auth-client.html for a complete working example.
# PostgreSQL Connector (already configured)
APP_MY_PG_JDBC_URL=jdbc:postgresql://...
APP_MY_PG_READ_URL=http://local.hasura.dev:8437
APP_MY_PG_WRITE_URL=http://local.hasura.dev:8437
# Neon Auth (configure for production)
NEON_PROJECT_ID= # Your Neon project ID
NEON_AUTH_ISSUER= # https://your-project.auth.neon.tech
NEON_JWKS_URI= # https://your-project.auth.neon.tech/.well-known/jwks.json# Check Docker is running
docker ps
# Check for port conflicts
lsof -i :3280 # Hasura
lsof -i :3001 # Auth webhook
lsof -i :8437 # Postgres connector
# View all logs
docker compose logs# Rebuild supergraph
ddn supergraph build local
# Restart engine
docker compose restart engine
# Check auth webhook is running
docker compose logs auth-webhookIn development mode, this shouldn't happen. If using production mode:
# Check webhook logs
docker compose logs auth-webhook
# Verify environment variables are set
docker compose exec auth-webhook env | grep NEON
# Test webhook directly
curl -X POST http://localhost:3001/webhook \
-H "Authorization: Bearer YOUR_TOKEN" \
-d '{}'# Test database connection
docker compose exec app_my_pg-1 /bin/sh -c 'echo "select 1" | psql "$APP_MY_PG_JDBC_URL"'
# Re-introspect database
ddn connector introspect my_pg- Hasura DDN Documentation: https://hasura.io/docs/3.0/
- Neon Documentation: https://neon.tech/docs
- Neon Authorize Guide: https://neon.tech/docs/guides/neon-authorize
- GraphQL: https://graphql.org/
For issues and questions:
- Check the documentation files in this project
- Review logs:
docker compose logs - Hasura DDN CLI help:
ddn --help - Hasura Discord: https://hasura.io/discord
[Add your license here]
Built with β€οΈ using Hasura DDN and Neon