Auth using Facets

Schartey · October 4, 2021, 7:14pm

Hi!

I’m currently struggling designing a authorization model for my schema.
I want to use GraphQL as much as possible and therefor rely on @auth directive.

The nice thing about graph databases are their edges and attributes on those edges. In my case I would like to assign users to businesses with a certain role. The role should be on the edge between the business and user nodes:

type User {
    id: ID!
}

type Business {
    id: ID!
    users: [User] @facet(role: String!)
    businessInfo: BusinessInfo!
}

type BusinessInfo @auth(update: { rule: "{ $USER role for business is admin}" ) {
    id: ID!
    business: Business! @hasInverse("businessInfo")
    someInfo: String
}

I know this is not a valid schema, it’s just for representation of my issue.
I feel like this would be the ideal way to assign users to businesses and implicitly their role.
Is there any way to use facets for authorization on GraphQL?

The only alternative I think could work is to split the users by their roles, but then again, we can also just forget about many use cases for facets in the graph.
Example:

type User {
    id: ID!
}

type Business {
    id: ID!
    admins: [User]
    moderators: [User]
    businessInfo: BusinessInfo!
}

type BusinessInfo @auth(update: { rule: """{ $ROLE in business.admins}""" } {
    id: ID!
    business: Business! @hasInverse("businessInfo")
    someInfo: String
}

Or do it the relational db way:

type User {
    id: ID!
}

type BusinessUser {
    id: ID!
    user: User!
    business: Business!
    role: String!
}

type Business {
    id: ID!
    businessUsers: [BusinessUser]
    businessInfo: BusinessInfo!
}

type BusinessInfo @auth(update: { rule: """{ $ROLE  is role AND $USER is user for business}""" } {
    id: ID!
    business: Business! @hasInverse("businessInfo")
    someInfo: String
}

I know this is not a valid schema, it’s just for representation of my issue.

Another way to solve this would be, to support DQL inside @auth or allow auth using some kind of @lambdaAuth. I’m not fond of the idea to write all my queries using @lambda.

Overall I’m slowly rejecting the idea of using DGraph directly from the frontend, although I would love to.

I’m still new to graph databases, so correct me if my overall approach is wrong.

amaster507 · October 5, 2021, 12:49am

Don’t be afraid of adding depth to the graph.

Schartey · October 5, 2021, 7:24am

Thank you for your response.
So you think mapping this relation like with relational databases is the way to go? Basically having a Relation Node? I guess for now that’s alright.

I’ve also come to realize, that I made it seem like a very complicated issue, but it would be very simple once this feature request is implemented. I think overall making facets accessable from GraphQL is important. At best we could reference nodes over these facets.

Additionally I still think lambdas for authorization only would be nice. With all the authorization rules inside the schema, it becomes difficult to read. Also writing rules is prune to errors.

Topic		Replies	Views
Moving GraphQL Authorization to admin API GraphQL auth , admin , kind:feature	4	1926	April 30, 2021
Using @auth on individual fields? GraphQL auth , status:accepted , kind:feature	19	2567	December 2, 2021
How to use facets in new GraphQL with Dgraph Users	2	329	May 17, 2020
Best way to model relationship properties in GraphQL until facets are available GraphQL graphql	3	799	June 2, 2020
How to use Facets in GQL Dgraph graphql , kind:question , dgraph , dql	5	895	September 7, 2020

Auth using Facets

Related topics