Auth Rule Not Working, Returning All My Users When Trying To Just Get Only One

Can somebody please explain to me why this schema is returning all the users in my graph for me…

My Schema:

type User @auth(
  query: {
		rule: "query($USER_ID: ID!){queryUser(filter:{id:[$USER_ID]}){id}}"
  }
)
{
  id: ID!
	username: String! @id
}


    
# Dgraph.Authorization {"VerificationKey":"<verification-key-here>","Header":"X-My-App-Auth","Namespace":"https://my.app.io/jwt/claims","Algo":"HS256","Audience":["aud1","aud5"]}

MY JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVU0VSX0lEIjoiMHg0NWUwMGIyMzIzMTUzIiwiaWF0IjoxNjI0NzMzNDk0fQ.9LOGS29TH-vwJFHQfAmYGE-hLo71AMFJqaQlIfkRloI

JWT Payload: { USER_ID: "0x45e00b2323153" }

My Query:

query MyQuery {
  queryUser {
    id
  }
}

My Result

{
  "queryUser": [
    {
      "id": "0x457ac5c1"
    },
    {
      "id": "0x45ad653b"
    },
    {
      "id": "0x45ad65c4"
    },
    {
      "id": "0x45ad65c5"
    },
    {
      "id": "0x45ad65c6"
    },
    {
      "id": "0x45ad65c7"
    },
    {
      "id": "0x45ad65c8"
    },
    {
      "id": "0x45ad65c9"
    },
    {
      "id": "0x45ad65ca"
    },
    {
      "id": "0x45ad65cb"
    },
    {
      "id": "0x45ad65cc"
    },
    {
      "id": "0x45ad65cd"
    },
    {
      "id": "0x45ad65ce"
    },
    {
      "id": "0x45ad65cf"
    }]
}

I was hoping to only have access to only my self as the user >_> Why is everyone else showing up. Please help!!

1 Like

Are you using 21.03? If not the namespace has to be in https://my.app.io/jwt/claims.

J

I’m using v21.03.0-56-gc900f96b3

Do I have to have Namespace? Can I just omit it, I just want to be able to be able to get myself as the User or am I designing or thinking about this completely wrong?

If you have 21.03, then standard claims should work fine.

I can’t see anything wrong with it, hopefully someone else has an idea!

J

Does filtering by ID like that work for you just fine? Maybe something underneath, like my actual Dgraph instance might be messed up…

Did you ever get this working? Very curious, as I can’t seem anything wrong with your code, and it may be a bug…

J

Nope, never got it working. Spent around over 12 hours trying to debug this thing … I’m just not using Dgraph to handle my auth lol…

I am wondering if it is something to do with the id. I tested it with @id and it works fine.

Try to use getUser (no arrays) instead of queryUser. I know it should work fine with the @id field (instead of ID) as well.

J

UPDATE: I have tested this issue on current master and it seems to be fixed there. I will continue my work on master and am looking forward to the long awaited release.

I guess you still have no idea how this happens? I now have the same issue. The weird thing is, I also created another type just to test and my auth is letting any request through that just contains the claim.

type Test @auth(query: {
    rule: """
        query ($tenant: ID!) {
            queryTest(filter: { id: [$tenant]}) {
                __typename
            }
        }""" }) {
    id: ID!
    name: String!
}

My JWT contains the following Claims:

{
  "exp": 1635237831,
  "sub": "0x271a",
  "https://my.app.com/jwt/claims": {
    "authorized": true,
    "id": "0x271a",
    "tenant": "0x271f"
  }
}

The result of the query is:

{
  "data": {
    "queryTest": [
      {
        "id": "0x275a"
      }
    ]
  },
  "extensions": {
    "touched_uids": 3
  }
}

Which clearly indicates that the auth rule should be false, as the id of the node (0x275a) is not the same as the claim (0x271f).

Am I missing something?

3 Likes

I had the same issue as well. I brought it up but nobody from the dgraph team even bothered to address the issue. I find that tends to happen here…

1 Like