@auth, cors, securing alter operations, and request headers

Expected behaviour and actual result.

I expect the server to return all allow-headers needed for the various types of auth and auth tokens that are supported.

The current list does not include X-Dgraph-AuthToken which is referenced here in the securing alter operations section.

this is what Chrome shows in the network pane:

access-control-allow-headers: X-Dgraph-AccessToken, Content-Type, 
Content-Length, Accept-Encoding, Cache-Control, 
X-CSRF-Token, X-Auth-Token, X-Requested-With

This means i can succeed to send the auth token using the dgraph-js-http client on node.js (because there are no preflight checks), but the browser rejects the request if i use the designated function in dgraph-js-http:

newClientStub.setAlphaAuthToken("<someSortofR4ndomKey-F00D1ddlyDee>")

with the following error:
Access to fetch at 'https://my.dghttp.url/query?timeout=600s' from origin 'http://localhost:8080' has been blocked by CORS policy: Request header field x-dgraph-authtoken is not allowed by Access-Control-Allow-Headers in preflight response.

I was able to use the dgraph-js-http client from node successfully to do a DQL alter operation.

Now when I try to set up a GraphQL schema using curl i get strange results:

><> curl  --data-binary '@schema.graphql' -X POST 'https://my.dghttp.url/admin/schema'
{"errors":[{"message":"Invalid X-Dgraph-AuthToken","extensions":{"code":"ErrorUnauthorized"}}]}⏎

><> curl -H 'X-Dgraph-AuthToken: totallywrongkey' --data-binary '@schema.graphql' -X POST 'https://my.dghttp.url/admin/schema'
{"errors":[{"message":"Invalid X-Dgraph-AuthToken","extensions":{"code":"ErrorUnauthorized"}}]}⏎

><> curl -H 'X-Dgraph-AuthToken: <correctKey>' --data-binary '@schema.graphql' -X POST 'https://my.dghttp.url/admin/schema'
{"errors":[{"message":"resolving updateGQLSchema failed because No Auth Token found. Token needed for Alter operations. (Locations: [{Line: 3, Column: 4}])","extensions":{"code":"Error"}}]}⏎

When sending the totallywrong key and no key at all i get the same ErrorUnauthorized (so far, so good)… When sending the correct key i get the third error - which is different, so it indicates that it got to a different section of internal code, but still not allowing the alter operation…

For the first part i suggest adding the X-Dgraph-AuthToken to the servers ( although i’ve never written a line of go in my life i guess it is somewhere around here )

For the second part, i am open to suggestions, maybe its the simple need for an additional header or some sort of quotes escaping… ??

@chewxy, @gja, @pawan, @amaster507 as you have all responded to some of my other related requests, I’m wondering if you have ideas here…

Is the first half correct that this should be added to the allowed headers?

Is the second half actually a bug? It seems that setting the GraphQL schema is impossible if “secure altering” is set up. Can anyone confirm or disprove that?

I can look more in detail later this evening.

My first question is what endpoint returned those header options? I would suspect that the different endpoints would return different headers.

This is also probably related to the question about what content types to use where. I think it was from same OP author…

I can probably help to clear up much of the confusion but I need more time to do that than what I have ATM.

could be, but the second half is actually more troubling for me at this point and has nothing to do with headers.

Is there anyone who can setup dgraph with “secure altering” (requiring a X-Dgraph-AuthToken header), and manage to successfully set a GraphQL schema via admin/schema?

@abhimanyusinghgaur will confirm but I think the second is a bug that he has already fixed in master. The first also needs to be fixed it seems. Marking this ticket as accepted.

The second one is still a bug in master, and will be fixed in couple of days. Linking the original bug report for the second issue here: ACL login will fail if auth_token enabled in v20.07.0 (One may feel they are not the same bugs, but yes they are same).

Both the bugs above have now been fixed in master and would be part of the 20.11.1 release.