“Are you using DQL from a client? Like an actual client on the web and not another backend?
DQL should only be Server → Dgraph as it is very susceptible to injection”
But that seems to contradict “HTTP Client A Dgraph client implementation for JavaScript using HTTP. It supports both BROWSER and Node.js environments.” This is from the docs, Dgraph Query Language > Client Libraries > JavaScript > HTTP Client https://dgraph.io/docs/clients/javascript/http/
(Italics mine)
First, thank you for taking the time to read what I have already written
Well, just because you can do something, doesn’t mean that you should.
A client could be another controlled environment such as a controlled Node server, or serverless Lambda-like controlled environment or a uncontrolled Browser.
Next.JS would be an example where you could use the DQL client on the server side with SSR, but to be safe, you should not use it directly inside Client Side rendered components and hooks.
There are still gotchas here to be understood and mitigated, but for the most part, this is a more controlled method because of the strict typing of GraphQL, it only lets you run the DQL that you specifically pre-allow in the schema or a custom lambda.
Just because it is HTTP(S) does not mean it is specifically browser (unsecure) based. You could have a server using HTTP(S) to communicate with other servers all inside a controlled environment and even inside a VPN and use HTTP in a secure fashion. HTTP(S) is just the protocol and not necessarily means it is end user directly.
This is the reason I tried to clarify with:
If a user wanted to run a browser based application and allow the user to have full control to the BE with very limited Auth, then they could run a direct connection from the Browser to the DQL endpoint of Dgraph. Just like they could do this with most any other database query language like SQL, Cypher, etc. But again, just because you can does not mean that you should. Security can be as strict as you can possibly make it or as lax as you dare to allow.
