Auth Rule Not Working, Returning All My Users When Trying To Just Get Only One

Issues GraphQL
1

Can somebody please explain to me why this schema is returning all the users in my graph for me…

My Schema:

type User @auth(
  query: {
		rule: "query($USER_ID: ID!){queryUser(filter:{id:[$USER_ID]}){id}}"
  }
)
{
  id: ID!
	username: String! @id
}


    
# Dgraph.Authorization {"VerificationKey":"<verification-key-here>","Header":"X-My-App-Auth","Namespace":"https://my.app.io/jwt/claims","Algo":"HS256","Audience":["aud1","aud5"]}

MY JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVU0VSX0lEIjoiMHg0NWUwMGIyMzIzMTUzIiwiaWF0IjoxNjI0NzMzNDk0fQ.9LOGS29TH-vwJFHQfAmYGE-hLo71AMFJqaQlIfkRloI

JWT Payload: { USER_ID: "0x45e00b2323153" }

My Query:

query MyQuery {
  queryUser {
    id
  }
}

My Result

{
  "queryUser": [
    {
      "id": "0x457ac5c1"
    },
    {
      "id": "0x45ad653b"
    },
    {
      "id": "0x45ad65c4"
    },
    {
      "id": "0x45ad65c5"
    },
    {
      "id": "0x45ad65c6"
    },
    {
      "id": "0x45ad65c7"
    },
    {
      "id": "0x45ad65c8"
    },
    {
      "id": "0x45ad65c9"
    },
    {
      "id": "0x45ad65ca"
    },
    {
      "id": "0x45ad65cb"
    },
    {
      "id": "0x45ad65cc"
    },
    {
      "id": "0x45ad65cd"
    },
    {
      "id": "0x45ad65ce"
    },
    {
      "id": "0x45ad65cf"
    }]
}

I was hoping to only have access to only my self as the user >_> Why is everyone else showing up. Please help!!

1 Like
2

Are you using 21.03? If not the namespace has to be in https://my.app.io/jwt/claims.

J

3

I’m using v21.03.0-56-gc900f96b3

Do I have to have Namespace? Can I just omit it, I just want to be able to be able to get myself as the User or am I designing or thinking about this completely wrong?

4

If you have 21.03, then standard claims should work fine.

I can’t see anything wrong with it, hopefully someone else has an idea!

J

5

Does filtering by ID like that work for you just fine? Maybe something underneath, like my actual Dgraph instance might be messed up…

6

Did you ever get this working? Very curious, as I can’t seem anything wrong with your code, and it may be a bug…

J

7

Nope, never got it working. Spent around over 12 hours trying to debug this thing … I’m just not using Dgraph to handle my auth lol…

8

I am wondering if it is something to do with the id. I tested it with @id and it works fine.

Try to use getUser (no arrays) instead of queryUser. I know it should work fine with the @id field (instead of ID) as well.

J

9

UPDATE: I have tested this issue on current master and it seems to be fixed there. I will continue my work on master and am looking forward to the long awaited release.

I guess you still have no idea how this happens? I now have the same issue. The weird thing is, I also created another type just to test and my auth is letting any request through that just contains the claim.

type Test @auth(query: {
    rule: """
        query ($tenant: ID!) {
            queryTest(filter: { id: [$tenant]}) {
                __typename
            }
        }""" }) {
    id: ID!
    name: String!
}

My JWT contains the following Claims:

{
  "exp": 1635237831,
  "sub": "0x271a",
  "https://my.app.com/jwt/claims": {
    "authorized": true,
    "id": "0x271a",
    "tenant": "0x271f"
  }
}

The result of the query is:

{
  "data": {
    "queryTest": [
      {
        "id": "0x275a"
      }
    ]
  },
  "extensions": {
    "touched_uids": 3
  }
}

Which clearly indicates that the auth rule should be false, as the id of the node (0x275a) is not the same as the claim (0x271f).

Am I missing something?

3 Likes
10

I had the same issue as well. I brought it up but nobody from the dgraph team even bothered to address the issue. I find that tends to happen here…

1 Like