check*Password query is rewritten into invalid DQL query

Issues Dgraph
, ,
1

Report a Dgraph Bug

What version of Dgraph are you using?

Docker Image dgraph/standalone

21.03.1 
{
  "errors": [
    {
      "message": "Dgraph query failed because Dgraph execution failed because Variables are not used properly. \nDefined:[Role_Auth1 pwd]\nUsed:[UserRoot pwd]\n",
      "path": [
        "checkUserPassword"
      ]
    }
  ],
  "extensions": {
    "tracing": {
      "version": 1,
      "startTime": "2021-08-08T11:43:59.3472973Z",
      "endTime": "2021-08-08T11:43:59.347781Z",
      "duration": 483700,
      "execution": {
        "resolvers": [
          {
            "path": [
              "checkUserPassword"
            ],
            "parentType": "Query",
            "fieldName": "checkUserPassword",
            "returnType": "User",
            "startOffset": 99500,
            "duration": 375200,
            "dgraph": [
              {
                "label": "query",
                "startOffset": 255300,
                "duration": 166200
              }
            ]
          }
        ]
      }
    }
  }
}

Have you tried reproducing the issue with the latest release?

What is the hardware spec (RAM, OS)?

Steps to reproduce the issue (command/config used to run Dgraph).

GraphQL-Schema

type User @secret(field: "password")
 {
  name: String! @id
	roles: [Role!]! 
}

type Role 
@auth(
  query: { 
		rule: """
query($user: String!) {
	queryRole(filter: { name: { eq: $user }}) {
			name
	}
}"""	
		}	
) {
	name: String! @id
}

# Dgraph.Authorization {"VerificationKey":"secret","Header":"header","Namespace":"domain","Algo":"HS256"}

query (with valid jwt) e.g. eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NTExMTExMTEsInN1YiI6IiIsImRvbWFpbiI6eyJ1c2VyIjoiIn19.DsfOGu34W_Ju3cCDRwGQvmVghsb2zyCsd-AFq2dNMVE

query checkUser {
  checkUserPassword(name: "", password: "") {
    name
    roles {name}
  }
}

Expected behaviour and actual result.

{
  "data": {
    "checkUserPassword": null
  },
  "extensions": {
    "tracing": {
      "version": 1,
      "startTime": "2021-08-08T11:56:40.4614177Z",
      "endTime": "2021-08-08T11:56:40.4616358Z",
      "duration": 218200,
      "execution": {
        "resolvers": [
          {
            "path": [
              "checkUserPassword"
            ],
            "parentType": "Query",
            "fieldName": "checkUserPassword",
            "returnType": "User",
            "startOffset": 95900,
            "duration": 87200,
            "dgraph": [
              {
                "label": "query",
                "startOffset": 0,
                "duration": 0
              }
            ]
          }
        ]
      }
    }
  }
}
2

Hello @hastri and welcome,
I’m not sure about the reason but I was able to get the expected result with this token without using :
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NTExMTExMTEsInN1YiI6IiIsInVzZXIiOiJIRUxMTyJ9.6q2SUgrnfy-1zoYgdKq7ueI3wU6Tpj7IpQI43RpxT1A
This is the payload:
{ "exp": 1651111111, "sub": "", "user": "HELLO" }

3

That’s probably because the domain.user property is missing and the rule is therefore not even checked

4

I checked what you said and it is working:
First I added a role with name: HELLO
This is the result with this token that I have a role named: HELLO:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NTExMTExMTEsInN1YiI6IiIsIlVTRVIiOiJIRUxMTyJ9.PoY-jkGUbrWm7aqVcfCyikQf5NCsfnZMyZNwTepBou4

Screen Shot 2021-08-08 at 6.06.17 PM
Screen Shot 2021-08-08 at 6.06.17 PM1904×700 84.2 KB

And this is the result of sending request with token that user is BYE:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NTExMTExMTEsInN1YiI6IiIsIlVTRVIiOiJCWUUifQ.tal8VmXHt6DkKN9Cd6vIC2UIII5k9MijdqMTjcEd8B4

Screen Shot 2021-08-08 at 6.08.10 PM
Screen Shot 2021-08-08 at 6.08.10 PM1904×700 86.1 KB