After more thinking, I am considering a strategy like this:
My backed component:
- gets a valid Oauth token for a user
- creates a JWE that includes claims:
{
ip: x.x.x.x,
userID: ###,
sessionID: ###
} // this payload would be signed and encrypted with a key
// that only dgraph and the backend know
-
the backend needs to update the user->sessionID edge with a facet for the (ip=x.x.x.x)
-
this JWE can be stored by the client and used to authenticate queries and mutations
via dgraph-js-http and the @auth rules need to do the sessionID and ip matching
In order for all this to work, Dgraph @auth would need to be able to handle decrypting the JWE payload