[Bug] @auth on interface does not respect or-rules

Steps to reproduce:

Schema:

interface Ownable
  @auth(
    query: {
      or: [
        { rule: "{$ROLE: { eq: \"ADMIN\" }}" }
        {
          rule: "query($USERNAME: String!) { queryOwnable(filter: { username: {eq: $USERNAME }}) { username }}"
        }
      ]
    }
  ) {
  username: String! @search(by: [hash])
}

type Foo implements Ownable {
  value: Int!
}

# Dgraph.Authorization {"VerificationKey":"totallysecret","Header":"Auth","Namespace":"lol","Algo":"HS256"}

Admin-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2wiOnsiUk9MRSI6IkFETUlOIiwiVVNFUk5BTUUiOiJhZG1pbiJ9LCJpYXQiOjE1MTYyMzkwMjJ9.9KgpRXR-OhOBiw7Ay-VTqhitIjtHKW_Fj6cmjIO3dAo

User-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2wiOnsiUk9MRSI6IlVTRVIiLCJVU0VSTkFNRSI6InVzZXIifSwiaWF0IjoxNTE2MjM5MDIyfQ._3dQECNABiKoE3lptCDaw5xCKMTxSeewak1Mzc2wUCE

1. Create Foo

mutation {
  addFoo(input: {
    username: "user"
    value: 1
  }) {
    foo {
      value
    }
  }
}

2. Set User-Token and queryOwnable

query {
  queryOwnable {
    username
  }
}

–> you see the requested data

3. Set Admin-Token and queryOwnable

–> List is empty

Expected behaviour

I expect that the or-rule is used also on the interface for auth-checking and that the result is not empty when using the admin-token.

When using queryFoo instead, results are as expected!

Current workaround

When omitting USERNAME from the JWT, it’s working.

Admin-Token-Without-USERNAME:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2wiOnsiUk9MRSI6IkFETUlOIn0sImlhdCI6MTUxNjIzOTAyMn0.DMVfg1723D85RoHfpN8YG2F4U_Gd-M7IjyrzdM0zjE4

Hi! Did you manage to reproduce this?

I have the same behavior using the delete-mutation.

Hey @maaft, Thanks for reporting the issue. I have reproduced it locally and will try to come up with the fix soon.

1 Like

This bug is fixed in the master. See this PR

1 Like

Awesome - that was! Thank you !