Why this is VERY important and easy to fix…
Right now, there is no way to add any external application to Dgraph’s GraphQl. Only Dgraph can do that, so we are locked-in without any way to secure mutations unless we want to re-write every single mutation in a custom-mutation. This means for any practical application, regular mutations are worthless.
This is far from trivial and concerns Backend Security.
Some more links I found:
More Problems this solves:
- Null Field Problem
- Require a Field Problem
- Field Level Auth
- Role Based Auth from Database
- General Field Validation
I think most people believe @auth works like this out of the box. There are many more problems this could solve, but very little code for very big reward.
Simple Fix:
Edit auth.go!
- An add mutation is evaluated by data that WILL be in the database…
- An update mutation is evaluated by data that is already IN the database
Simple add a new rule handle update-after or afterUpdate or whatever name that…
- An updateAfter is evaluated by data that WILL be in the database (just using the add validation)
These functions are already written, just add a few new lines. If I were a go programmer, I would do a ping request myself.
This is very important and will solve many problems.
There is potentially another option where any incoming data added by an update mutation is evaluated by BOTH @auth add rules, and @auth update rules, but I feel there could be some conflict here.
Either way, this keeps the database consistent, and is VERY LITTLE WORK with BIG REWARDS for us users!
Thanks,
J