Hi, for the following schema:
type User @secret(field:"passwd") {
email: String! @id @search(by: [hash])
}
I get correct results for both with valid JWT token and without it:
{
checkUserPassword(email:"user1@localhost", passwd:"secret1") {
email
}
}
{
"data": {
"checkUserPassword": {
"email": "user1@localhost"
}
}
}
But after adding @auth rule:
type User @secret(field:"passwd") @auth(
query: {rule: """
{$isAuthenticated: {eq: "true"} }
"""}
){
email: String! @id @search(by: [hash])
}
I get this error when using no JWT token:
{
"errors": [
{
"message": "Dgraph query failed because Dgraph execution failed because line 3 column 11: Expected Left round brackets. Got: lex.Item [6] \"{\" at 3:11"
}
],
"data": {
"checkUserPassword": null
}
}
And then I get this error when using valid JWT token:
{
"errors": [
{
"message": "Dgraph query failed because Dgraph execution failed because line 2 column 1: Expected some name. Got: lex.Item [14] \"@\" at 2:1"
}
],
"data": {
"checkUserPassword": null
},
}
Both errors are the same when no matter when using valid or bad password.
At the same time the following query works correctly:
queryUser {
email
}
I think that because checkUserPassword is used for user validation, it should be allowed for all cases (even with @auth rule). Or maybe there should be another rule for checkUserPassword (not related to query rule).
With the above schema I was expecting that the user could be logged in (after validating with checkUserPassword), but could not query for other users.
Used dgraph/dgraph:a3d48429 and dgraph/dgraph:master for testing.