Hi All,
I've been asked to create some dashboards in ReTool connecting to our Hasura GraphQL.
We are a small health provider, but do stroe some quite sensitive user health information in AWS via Hasura.
Anyways as a proof of concept I followed the tutorials by entering Hasura Admin Secret and setting up GraphQL Queries etc all good, was able to pull back some actual user data into an unpublished Retool project dashboard....
However when showing my boss, I got blasted for exposing our Hasura Admin Secret to the wild.....
Wondering if this is actually my mistake or his understanding of how ReTool works (or a bit of both)?
Have I inadvertently exposed our Hasura Admin Secret in an insecure way to a unauthorised/untested third party?
From my point of view ReTool is going to be a tool which will make up part of our internal toolset.
As such using our Hasura Admin Secret to connect and pull data, is fine as long as we trust ReTool not to get hacked itself.....(I'm unsure how ReTool stores our info and if Retool did get hacked if they would be able to access our Admin Secret and compromise our data).
Is using the Hasura Admin Secret the only way to query Hasura GraphQL and if so, any there any security risks with this method....?
Any advice you can give on this would be appreciated.
) to go through options and make clear choices as you proceed.