[Alpha] Problems with --auth_token

FellipeFreire · January 1, 2021, 6:44pm

Report a Dgraph Bug

What version of Dgraph are you using?

Docker - dgraph/dgraph:latest

Have you tried reproducing the issue with the latest release?

Yes

What is the hardware spec (RAM, OS)?

W10, docker for windows, 32gb RAM, i7-9700k

Steps to reproduce the issue (command/config used to run Dgraph).

version: "3.2"
services:
  zero:
    image: dgraph/dgraph:latest
    volumes:
      - ./src/dgraph:/dgraph
    ports:
      - 5080:5080
      - 6080:6080
    restart: on-failure
    command: dgraph zero --my=zero:5080
  alpha:
    image: dgraph/dgraph:latest
    volumes:
      - ./src/dgraph:/dgraph
    ports:
      - 8080:8080
      - 9080:9080
    restart: on-failure
    command: dgraph alpha --auth_token=123 --my=alpha:7080 --zero=zero:5080 --whitelist 192.168.10.0/29

Expected behaviour and actual result.

POST → localhost:8080/admin/schema

Header:

X-Dgraph-AuthToken: 123

Data-binary:

// /dgraph/schemas/schema.graphql

type User {
  id: ID!
  username: String!
}

Expected Return:

{
  "data": {
    "code": "Success",
    "message": "Done"
  }
}

Actual Return:

{
  "errors": [
    {
      "message": "resolving updateGQLSchema failed because No Auth Token found. Token needed for Admin operations. (Locations: [{Line: 3, Column: 4}])",
      "extensions": {
        "code": "Error"
      }
    }
  ]
}

When using wrong Token Header returns expected answer: [X-Dgraph-AuthToken: 1234]

{
  "errors": [
    {
      "message": "Invalid X-Dgraph-AuthToken",
      "extensions": {
        "code": "ErrorUnauthorized"
      }
    }
  ]
}

When posting to localhost:8080/alter it works as expected: Header: [X-Dgraph-AuthToken: 123]

{
  "drop_all":true
}

Response:

{
  "data": {
    "code": "Success",
    "message": "Done"
  }
}

MichelDiz · January 1, 2021, 8:48pm

As far as I know, Poor man’s Auth just covers DQL admin endpoints. We have tickets to cover more endpoints like GraphQL Admin. The ideal for now is to not expose your Dgraph instance - Actually it should never be exposed, you should put it behind a firewall or reverse proxy and use GraphQL or create an API.

FellipeFreire · January 1, 2021, 10:24pm

Thanks for the quick response.

pawan · January 5, 2021, 8:56am

Hey @FellipeFreire

Could you check and share the version of Dgraph that you are using?

Topic		Replies	Views
Dgraph 1.2.6 Accepts Login Despite Auth Token Configured Dgraph status:accepted , kind:bug , ticket:created	0	478	September 6, 2020
Difference with auth token and whitelist between v20.x and 21.x Dgraph	2	438	June 9, 2021
ACL login will fail if auth_token enabled in v20.07.0 Dgraph status:accepted , kind:bug , ticket:created	2	928	October 15, 2020
Unable to get admin_api_key working for docker compose (Poor man's auth) Documentation kind:question , dgraph	2	489	September 20, 2021
Deleted node appears after alpha restart Dgraph kind:bug	0	524	November 21, 2021