Basic auth lockdown

billybobthorton · December 26, 2020, 2:34pm

I want to lock down update, delete, create to only a single authorized user (an automated script that populates and updates data and maintains game state).

I was looking at some examples and I found this:

@auth(
    add: { rule:  "{$ROLE: { eq: \"ADMIN\" } }" },
    update: { rule:  "{$ROLE: { eq: \"ADMIN\" } }" },
    delete: { rule:  "{$ROLE: { eq: \"ADMIN\" } }" },
)

Does this lock it down to a custom attribute “ROLE”, or is it generated ADMIN API keys from the security tab?

I basically want to allow anyone to query anything from the API (there is only one type, it’s fairly simple) but all updates are locked down to only the core application to manage.

Also, if you do lock it down to an api key, any example on how to use these keys from api explorer.

rajas · December 28, 2020, 7:46am

Dgraph uses to JWK URL or JWT to authenticate users. You may find more details about auth over here .
You may read more about JWT over here,

In the example of @auth which you have provided, the ROLE provided from the JWT or JWK URL will be considered to authenticate the user.

To lock down the updates to the core application, you may need to provide a signed JWT token with ROLE set to ADMIN to the core application.

Do let us know if you have any more queries / questions.

Topic		Replies	Views
Restrict visibility of graphql mutation and queries GraphQL	4	845	July 30, 2020
Putting it All Together - Dgraph Authentication, Authorization, and Granular Access Control (PART 4) - Dgraph Blog Blog	5	828	January 28, 2021
The `@auth` directive - Graphql Documentation	13	2360	December 12, 2020
GraphQL Auth on predicates GraphQL kind:question	11	1503	December 29, 2021
Slash API Keys Admin vs. Client Dgraph Cloud kind:question	4	902	September 10, 2020

Basic auth lockdown

Related Topics