Allow users to only see themselves (@auth)

Hello,
Say I have the following schema:

type User
  @auth(
    query: {
      rule: """
      query ($USER: ID!) {
        queryUser(filter: {id: [$USER]}) {
          id
        }
      }
      """
    }
  ) {
  id: ID!
  name: String!
}

# Dgraph.Authorization {...}

I would assume that this would allow users to only see their own user nodes. However when I run:

{
  queryUser {
    id
    name
  }
}

I get back all the users in my system. Am I doing something wrong here? I’m new to Dgraph’s auth system so I could have just missed something.

Thanks

What version of Dgraph are you running? This may be related to this fix in the recent 21.03.0 release.

  • Fix(GraphQL): Fix @auth rules evaluation in case of null variables in custom claims. (#7380)

I’m using Slash GraphQL, so v20.11.2.
I don’t think it’s because of a null variable in my custom claims though, as that same user variable works elsewhere.

I had the exact same problem. The weird thing is: if i encode the username in the token instead of the id and use that in the auth query, it works.

Once 21.03 is released, I would be curious to see if the problem exists. Should be before May 1st.

J

Hi @alaister, I have reproduced this locally. Accepting this as a bug. Will try to prioritize this bug fix.

This issue has been fixed in the master. See this PR for more details.

Thanks! Any idea when this will be in Slash GraphQL?

Update, I just tested this and it seems like this fix isn’t available in the v21.03 release, or am I wrong? Is there a way around this? IMO this is a serious security issue… authorizing to see only your account should be the default expected behaviour, or not?

@minhaj This does not seem to be fixed. I’m using v21.03. When I add this as a rule, it grants access to any User.