// the find
nhost/hasura-backend-plus
🔑Auth and 📦Storage for Hasura. The quickest way to get Auth and Storage working for your next app based on Hasura.
HBP was a self-hosted auth and S3-compatible storage sidecar for Hasura, handling JWT sessions, OAuth providers, TOTP/MFA, and YAML-defined storage access rules. It is officially dead — the README leads with a deprecation notice pointing to the successor repos. Don't build on this.
The storage rules system (YAML-defined per-path access control evaluated against JWT claims) was a genuinely clever approach to file authorization without writing custom resolvers. OAuth provider coverage was broad (9 providers including Apple and Twitter). The test suite has real coverage with a docker-compose test environment rather than pure mocks. JWKS endpoint and Pwned Passwords integration were thoughtful additions most auth sidecars skip.
Deprecated since May 2023 — last commit is over three years old and the maintainers have explicitly abandoned it for hasura-auth and hasura-storage. The migration story is a single raw SQL file with no versioning strategy, meaning schema drift is your problem. Storage rules are evaluated via notevil (a sandboxed JS eval library), which is a weird security bet for access control logic. No mention of refresh token rotation, which matters for anything beyond a toy app.