Skip to content

011: FraiOS token support for discovery, queries, and Hasura proxy#29

Merged
acmeguy merged 7 commits intomainfrom
011-fraios-token-support
Mar 22, 2026
Merged

011: FraiOS token support for discovery, queries, and Hasura proxy#29
acmeguy merged 7 commits intomainfrom
011-fraios-token-support

Conversation

@acmeguy
Copy link
Copy Markdown

@acmeguy acmeguy commented Mar 22, 2026

Summary

  • Add FraiOS HS256 JWT support alongside existing WorkOS (RS256) and Hasura (HS256) tokens
  • Three-way token detection via payload sniffing (accountId claim distinguishes FraiOS from Hasura)
  • JIT user provisioning from FraiOS tokens (email-based identity resolution, partition-driven team derivation)
  • Wired into all four auth paths: REST API (checkAuth), SQL API (checkSqlAuth), discover endpoint, and Hasura proxy

Test plan

  • 28 unit tests passing (token detection, verification, provisioning, discover)
  • E2E: discover endpoint returns datasources with FraiOS token
  • E2E: Hasura proxy accepts FraiOS token and returns GraphQL response
  • Deploy to dev cluster, verify with cxs2 integration

🤖 Generated with Claude Code

acmeguy and others added 7 commits March 22, 2026 17:35
@acmeguy @claude
feat(cubejs): add FraiOS token detection and HS256 verification
49a5917 
Extend detectTokenType to distinguish FraiOS tokens (HS256 with accountId
claim) from Hasura tokens. Add verifyFraiOSToken using TOKEN_SECRET env var.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@acmeguy @claude
feat(cubejs): add FraiOS user provisioning with JIT identity resolution
afaacb9 
Email-based lookup with partition-driven team derivation.
Reuses workosSubCache and singleflight dedup.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@acmeguy
feat(cubejs): wire FraiOS token support into REST API auth
25d2f88
@acmeguy
feat(cubejs): wire FraiOS token support into SQL API auth
a11adeb
@acmeguy
feat(cubejs): accept FraiOS tokens on discover endpoint
c19917a
@acmeguy
feat(cubejs): wire FraiOS token support into Hasura proxy
f8f7dd1
@acmeguy
chore(cubejs): add TOKEN_SECRET env var for FraiOS auth
db2def6 
Plumbs the FraiOS shared secret into the CubeJS service environment.
@akshaykumar2505 akshaykumar2505 self-requested a review March 22, 2026 19:03
@acmeguy acmeguy merged commit 17d83d1 into main Mar 22, 2026
3 checks passed
@acmeguy acmeguy deleted the 011-fraios-token-support branch March 22, 2026 19:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Valdegg Valdegg Valdegg approved these changes

@akshaykumar2505 akshaykumar2505 akshaykumar2505 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@acmeguy @Valdegg @akshaykumar2505