Bug: Cannot limit number of results using auth directive to prevent malicious queries

We are trying to prevent users from requesting too many documents by setting a big number in first argument.

What edition and version of Dgraph are you using?

v21.03.1

Have you tried reproducing the issue with the latest release?

Yes, the bug can be reproduced in Dgraph Cloud too.

Steps to reproduce the issue (paste the query/schema if possible)

Try this schema:

type Todo
  @auth(
    query: {
      rule: """
      query {
          queryTodo(first: 2) {
              id
          }
      }
      """
    }
  ) {
  id: ID!
  text: String! @search(by: [term])
  owner: String! @search(by: [hash])
}

And after that add more than 2 Todo.
After running this query: query { queryTodo { id } }
The result is :

 "queryTodo": [
      {
        "id": "0x4c6cd2ed"
      },
      {
        "id": "0x4c6cd2ee"
      },
      {
        "id": "0x4c6cd2ef"
      },
      {
        "id": "0x4c6cd2f0"
      }
    ]

Expected behavior and actual result.

As we have used first: 2 in auth directive we expect only 2 results:

   "queryTodo": [
      {
        "id": "0x4c6cd2ed"
      },
      {
        "id": "0x4c6cd2ee"
      }
    ]

You can checkout this bug here:
https://green-pine.us-east-1.aws.cloud.dgraph.io/graphql