Concerns about authentication/authorization in DGraph with GraphQL endpoint

arijit · September 23, 2020, 8:59am

There is two type of auth rules: RBAC and ABAC. ABAC rules are basically GraphQL queries so you can write them independently in some GraphQL client.
Example:

type User @auth(
  delete: { and: [
    { rule: """
    query($USER: String!) {
        queryUser(filter: { username: { eq: $USER } }) {
        __typename
        }
    }
    """ },
    { rule: """
    query {
        queryUser(filter: { isPublic: true }) {
            __typename
        }
    }
    """}]
  }
){
  username: String! @id
  age: Int
  isPublic: Boolean @search
  disabled: Boolean
  tickets: [Ticket] @hasInverse(field: assignedTo)
  secrets: [UserSecret]
  issues: [Issue]
  tweets: [Tweets] @hasInverse(field: user)
}

The rule is basically a GraphQL query:

    query($USER: String!) {
        queryUser(filter: { username: { eq: $USER } }) {
        __typename
        }
    }

We use regex matching to parse RBAC rules so this should be an easy fix.

Having public key in schema doesn’t mean we would block request not having JWT. We block only those requests for types that have auth rules associated with it. Types having no auth rules would still work without the JWT token.

Topic		Replies	Views
@auth directive status and security GraphQL graphql	25	1988	August 25, 2020
The `@auth` directive - Graphql Documentation	13	2540	December 12, 2020
Role based access control rules are not working in DGraph Cloud Dgraph Cloud graphql , auth , kind:bug	5	589	May 5, 2021
Issue with Slash GraphQL Authentication Dgraph Cloud / Slash GraphQL	5	1005	March 9, 2021
Putting it All Together - Dgraph Authentication, Authorization, and Granular Access Control (PART 4) - Dgraph Blog Blog	5	872	January 28, 2021

Concerns about authentication/authorization in DGraph with GraphQL endpoint

Related topics