Row Permissions with not always existing session variable

[asinbo]

Is it strictly required to send all session variables, that are used in row permissions?
I am having problems with this:

• session variable might contain a list of features, the user has access to, but it doesn't have to!
  {"feature":{"name":{"_in":"x-hasura-allowed-features"}}} (my actual rule is a bit more complex with an _or, to check for other things as well)
• now, if the x-hasura-allowed-features isn't present, I get an error response saying "missing session variable: \"x-hasura-allowed-features\""

Is there any way to allow for missing session variables and check for null in the row permission setting?
I know, I could pass an empty list in my session variable; but I have some dynamically generated session variables as outcome of my authN webhook and the webhook doesn't know, what session variable could be expected (otherwise, I could add empty session variables).

[manimovassagh]

Yes, Hasura requires all session variables referenced in permissions to be present in the request. There is no built-in "if exists" or null-check for session variables themselves in the permission rules.

A couple of workarounds:

1. Always send the variable, even if empty

The cleanest approach is to have your auth webhook always return x-hasura-allowed-features with an empty array [] when the user has no features. I know you mentioned the webhook does not know what variables might be expected, but this is the intended pattern -- the auth layer should be aware of the session variables the permission system requires.

2. Use a default role without feature-based permissions

If some users genuinely never have features, consider using a separate Hasura role for them (e.g. user-basic vs user-premium). The basic role would have permissions that do not reference x-hasura-allowed-features at all, while the premium role includes the feature check. Your webhook sets the role based on whether features exist.

3. Restructure the permission rule

If your _or rule is something like:

{
  "_or": [
    {"feature": {"name": {"_in": "x-hasura-allowed-features"}}},
    {"is_public": {"_eq": true}}
  ]
}

And you want it to work when x-hasura-allowed-features is absent, the only way today is option 1 or 2 above. There is no _is_null operator for session variables.

There have been feature requests for default values on session variables, but nothing has landed yet. For now, making the webhook always emit the variable (even as an empty value) is the most pragmatic path.