Authorization setup not preventing access (at least locally)

jchaselubitz · January 23, 2022, 9:01pm

I have spent the day trying to get Authorization to work in my local Dgraph instance, but have been unable to block access to the server in the first place.

I have a user node with a rule that should prevent queries from going through

type User @auth(
		query: { rule: "{ $NeverHere: { eq: \"anything\" } }" }
) {

and I have added the Dgraph.Authorization note at the bottom of my schema:

# Dgraph.Authorization {"VerificationKey":"<AUTH0-APP-PUBLIC-KEY>","Header":"X-Auth-Token","Namespace":"https://dgraph.io/jwt/claims","Algo":"RS256","Audience":["<AUTH0-APP-CLIENT-ID>"]}

Based on the docs and the tutorials, my code described above should be preventing me from querying users, but that is not the case, I can query them without trouble.

What else do I need to do for authorization to “take effect”?

amaster507 · January 23, 2022, 9:41pm

What does your query look like? Are you running GraphQL queries or DQL?

jchaselubitz · January 23, 2022, 9:42pm

GraphQL. Here is the whole Query:

type User @auth(
		query: { rule: "{ $NeverHere: { eq: \"anything\" } }" }
) {
	id: ID! 
	email: String
	emailAddresses: [EmailAddress!] @hasInverse(field:user)
	displayName: String @search(by: [term])
	fullName: String
	profileImage: String 
	biography: String 
	expertise: [String] 
	interests: [String] 
	public: Boolean @search
	walletAddresses: [CryptoAddress] 
	organizations: [OrganizationUser]
	unestablishedSmartContracts: [SmartContractUnestablished] @hasInverse(field:owner)
	agreements: [AgreementSignatory] @hasInverse(field:user)
	creationDate: DateTime
}

amaster507 · January 23, 2022, 9:49pm

Okay, that is the schema, how about the query, with either getUser or queryUser or some other top level query

jchaselubitz · January 23, 2022, 9:51pm

Ah yes, sorry:

(This is abbreviated, but should clarify how I am calling it)

export const GET_USER = gql`
  ${CORE_AGREEMENT_FIELDS}
  query queryUser($userId: [ID!]) {
    queryUser(filter: { id: $userId }) {
      id
      email
      emailAddresses {
        address
        name
        description
        public
        user {
          id
        }
      }
    }
  }
`;

amaster507 · January 23, 2022, 10:04pm

All that looks correct. So what version are you using? And I will try to replicate this.

jchaselubitz · January 23, 2022, 10:08pm

Looks like its the latest / 21.12

To be clear, I have it running on localhost. I don’t know if that impacts the way it sets up the authorization settings

jchaselubitz · January 24, 2022, 12:07pm

Hey, I am still working through this, but the issue seems to be that the updated schema was not applying even though I ran the command to apply it. The yarn command I use is the following. I would have expected an error, but it just says “Done”

    "schema": "curl -X POST localhost:8080/admin/schema --data-binary '@dgraph/schema.graphql'",

Apparently I had a bug in the schema that I wasn’t noticing because I didn’t get any indication that publishing had failed

dtrckd · January 25, 2022, 10:17am

Did you try to increase the verbosity level and set the graphql debug mode of the alpha ?
It could help to have hints when you push your schema and query the data.

see ./dgraph alpha --help