Firebase authentication and Slash GraphQL

Please share your @auth rule and graphql request. It should not be rejected if the auth header is not there, but your results should be empty, as the rule will fail, not the request.

Hi, my query is the generated queryTask query (from the tutorials in the documentation). My fetch request is:
fetch(
ā€˜https://.aws.cloud.dgraph.io/graphqlā€™,
{
method: ā€˜POSTā€™,
headers: {
ā€˜Content-Typeā€™: ā€˜application/jsonā€™,
},
body: JSON.stringify({
query: this.operationsDoc,
})
Iā€™m not talking about applying specific authorisation rules against queries and mutations in the schema - I have none defined at this point of my jedi-training. Iā€™m looking at authentication of users against firebase so that any request hitting my graphql backend is effectively rejected (i.e, error and empty result) if the firebase token is missing, invalid, expired etc. I can do this as stated above with the following in the schema:

Dgraph.Authorization {ā€œHeaderā€:ā€œFirebase-Tokenā€,ā€œNamespaceā€:ā€œtestā€,ā€œJWKURLā€:ā€œhttps://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com",ā€œAudienceā€:["my-projectā€]}

If I include my firebase token in the headers I get the expected result - an empty results set and appropriate error, but excluding the token from the header as above returns the query results. I understand from earlier posts that there is an official firebase authentication example/tutorial in the works - is there an eta?

It sounds like you understand the process fine. However, you do not want it to reject a query with no header. If a user is not logged in, you should be able to query public data. You must use @auth rules to secure data for only users that are logged in, or with certain roles etc. If you want to secure all data, simply make @auth rules on all types.

I just updated a quick reference on this: Firebase Authentication - RBAC - Role Based Access Control

1 Like

Hey @Kim_Easton, you need to add ClosedByDefault: true in your authorization header.
Please see this.
Then it will allow user to query data if only valid jwt is passed along with the Authorization Header.

2 Likes

Exactly what I was after, Thanks!