@auth directive status and security

Hi!

I wanted to follow up and check in on the status of the full @auth directive support on all GraphQL types - has this feature made it into the official release branches yet? Last I heard, there were tentative plans for it to be more fully available by the end of this month.

Also, as a related question, since I’ll be using Dgraph as the entirety of the backend, how secure will the database be? Given resources like @auth and @custom will be available, how much, if any, additional “wrapping” will be needed say by a Golang server with middlware? Ideally, if I could just strip it all out and rely on Auth0 to sync with the Dgraph directives, that’d be amazing. I’m planning on having both a “frontend”, providing a UI, and “internal”, for more programmatic features and responding to GraphQL subscriptions, app point at Dgraph (the “backend”).

Best,
John

1 Like

Hey @forstmeier

@auth directive now has pretty comprehensive support now. We have a bunch of examples for it on the docs site at https://graphql.dgraph.io/authorization/. The support is already in master and would be part of the 20.07.0 release that goes out next month.

That’s exactly why we built these features. So that you shouldn’t have to wrap Dgraph behind another Golang server. Let us know if something doesn’t work for you and if end up having to use a proxy server. We’ll look into it and see if we can make the interaction smoother for you.

1 Like

Hi @pawan!

Thanks for the quick update! I’ll download the most recent version and see if I can start playing with it then. I’ll also strip out the “backend” code I currently have in place to see if it is comprehensive enough for what I’m looking for (it’ll be connecting to Auth0 and I’ve seen examples of this floating around on both your and their documentations).

Best,
John

1 Like

P.S. If I’m including a series of filters via the @auth directive (e.g authentication, authorization, and multi-tenancy), how can I filter for the later based on an org ID (which in this case is the scalar ID? I’m trying to us this:

		{ rule: """query($orgID: ID!) {
			queryConsent {
				owner( filter: { id: { eq: $orgID } } ) {
					id
				}
			}
		}"""},

to provide multi-tenancy around the Consent type document, but Dgraph is throwing an error indicating, from what I can tell, that eq is incompatible with the ID type. E.g. @auth: failed to validate GraphQL rule [reason : Value provided {eq:$orgID} is incompatible with expected type [ID!]]. I dug through the documentation but couldn’t find an answer - did I miss something?

If you look at your graphql schema it is probably:

filter: { id: [$orgID] }
1 Like