In GraphQL, the JWT authorization is available to authorize query and mutation. Is there a similar auth feature in DQL? If our endpoint is exposed to the public web without ACL, does anyone who comes across the domain can actually query or mutate the data with DQL?
Yes, dgraph endpoints are accessible by default without ACL. If you would like to lock these down to require an API key
- You could put a proxy in front of your dgraph instance and set up a proxy that prevents access without some header
- You can use Slash GraphQL, which allows you to spin up a secured, hosted instance of Dgraph, and set up API keys for access
In case you want to disable the DQL query interface all together (to rely only on GraphQL @auth rules),
you can do this with a rather simple traefik config in docker-compose:
traefik.disabled.frontend.rule: Host:your.dgraph.url;PathStrip:/query traefik.disabled.port: 666 # a port destined for failure traefik.dghttp.frontend.rule: Host:your.dgraph.url traefik.dghttp.port: 8080 # the internal port to be exposed on https://your.dgraph.url