Allow users to only see themselves (@auth)

Hello,
Say I have the following schema:

type User
  @auth(
    query: {
      rule: """
      query ($USER: ID!) {
        queryUser(filter: {id: [$USER]}) {
          id
        }
      }
      """
    }
  ) {
  id: ID!
  name: String!
}

# Dgraph.Authorization {...}

I would assume that this would allow users to only see their own user nodes. However when I run:

{
  queryUser {
    id
    name
  }
}

I get back all the users in my system. Am I doing something wrong here? I’m new to Dgraph’s auth system so I could have just missed something.

Thanks

What version of Dgraph are you running? This may be related to this fix in the recent 21.03.0 release.

  • Fix(GraphQL): Fix @auth rules evaluation in case of null variables in custom claims. (#7380)

I’m using Slash GraphQL, so v20.11.2.
I don’t think it’s because of a null variable in my custom claims though, as that same user variable works elsewhere.

I had the exact same problem. The weird thing is: if i encode the username in the token instead of the id and use that in the auth query, it works.

Once 21.03 is released, I would be curious to see if the problem exists. Should be before May 1st.

J

Hi @alaister, I have reproduced this locally. Accepting this as a bug. Will try to prioritize this bug fix.

3 Likes

This issue has been fixed in the master. See this PR for more details.

1 Like

Thanks! Any idea when this will be in Slash GraphQL?