Firebase authentication and Slash GraphQL

@minhaj

Got an error after deploying the schema file. “Failed to connect to backend. Please reload the schema or contact us if the issue persists.”

** types **

# Dgraph.Authorization { "JWKURL": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com", "Audience": "** projectId **", "Header": "Authorization" }

I cannot access the schema at all now.

Thanks for the ongoing help!

Can you please be more specific about the error and the steps for reproducing it?

Not sure what I did more than just deploying the schema and heading to the API Explorer to see that no schema is available. The schema that got deployed looked like this (with the actual projectId).

type User  {
	name: String @search(by:[exact,fulltext]) 
}

# Dgraph.Authorization { "JWKURL": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com", "Audience": "** projectId **", "Header": "Authorization" }

Can you paste the response?
Can you try updating schema once more after adding Namespace to the Authorization Header?

Cannot update the schema at all.

Created a new backend and deployed this exact schema (with namespace).
The deployment was successful but after a page refresh was the schema unavailable again.

type User  {
	name: String @search(by:[exact,fulltext]) 
}

# Dgraph.Authorization { "JWKURL": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com", "Audience": "** projectId **", "Header": "Authorization", "Namespace": "test" }

@minhaj found what was causing this.

The space between # and Dgraph.Authorization needed to be removed.

1 Like

@minhaj we should fix this behavior and even if there is a space after # we should still be able to read the Dgraph.Authorization header. Accepting this as an issue to be fixed.

1 Like

Hey @Isak, the exact format of Authorization header in the schema is that it there should be space between # and Dgraph.Authorization and hence it should be # Dgraph.Authorization. If there is no space between them, Dgraph won’t recognize it as a valid Authorization Header and don’t even try to parse it. That is why you are not facing any error which you faced earlier.

@minhaj thanks for the clarification! So this is a bug and the feature can not be used at the moment?

No, there is no known bug yet. Please go ahead in using it, but try to include space between # and Dgraph.Authorization.

Sorry but I can’t get this to work.
@minhaj can you please provide a working schema that I can try with my own values?

Actually, got it working now I think. At least able to deploy the schema without crashing it.

Hey @Isak, the given schema should work.

type Task @withSubscription @auth(
    query: { rule: """
        query($USER: String!) {
            queryTask {
                user(filter: { username: { eq: $USER } }) {
                    username
                }
            }
        }"""}), {
    id: ID!
    title: String! @search(by: [fulltext])
    completed: Boolean! @search
    user: User!
}
type User @withSubscription {
    username: String! @id @search(by: [hash])
    name: String
    tasks: [Task] @hasInverse(field: user)
}
# Dgraph.Authorization {"Header":"X-Firebase-Token","Namespace":"https://dgraph.io/jwt/claims","JWKURL":"https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com","Audience":["your-project-id"]}

Apart from this, can you tell us more about the error which you are facing?

The error is related to the formatting of the header. For example if there is a space or not as discussed earlier. I can’t give exact details because of the amount of different schemas I tried. But I’m t has to do with the formatting and parsing for sure.

Hi, I have successfully authenticated against firebase via an authorization string in the schema as above. It works great. If I pass no/invalid token or an expired token my frontend request is rejected.
However when I have anonymous access allowed and completely exclude my firebase token key:value from the request header the backend returns the request!.
If I define authentication like this in my schema, to ensure a request is coming from an authenticated user, then completely omit token key value pair from the header (i.e. act like a completely unauthenticated user) shouldn’t the request be rejected?

Please share your @auth rule and graphql request. It should not be rejected if the auth header is not there, but your results should be empty, as the rule will fail, not the request.

Hi, my query is the generated queryTask query (from the tutorials in the documentation). My fetch request is:
fetch(
‘https://.aws.cloud.dgraph.io/graphql’,
{
method: ‘POST’,
headers: {
‘Content-Type’: ‘application/json’,
},
body: JSON.stringify({
query: this.operationsDoc,
})
I’m not talking about applying specific authorisation rules against queries and mutations in the schema - I have none defined at this point of my jedi-training. I’m looking at authentication of users against firebase so that any request hitting my graphql backend is effectively rejected (i.e, error and empty result) if the firebase token is missing, invalid, expired etc. I can do this as stated above with the following in the schema:

Dgraph.Authorization {“Header”:“Firebase-Token”,“Namespace”:“test”,“JWKURL”:“https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com",“Audience”:["my-project”]}

If I include my firebase token in the headers I get the expected result - an empty results set and appropriate error, but excluding the token from the header as above returns the query results. I understand from earlier posts that there is an official firebase authentication example/tutorial in the works - is there an eta?

It sounds like you understand the process fine. However, you do not want it to reject a query with no header. If a user is not logged in, you should be able to query public data. You must use @auth rules to secure data for only users that are logged in, or with certain roles etc. If you want to secure all data, simply make @auth rules on all types.

I just updated a quick reference on this: Firebase Authentication - RBAC - Role Based Access Control

1 Like

Hey @Kim_Easton, you need to add ClosedByDefault: true in your authorization header.
Please see this.
Then it will allow user to query data if only valid jwt is passed along with the Authorization Header.

2 Likes

Exactly what I was after, Thanks!