Firebase authentication and Slash GraphQL

jdgamble555 · April 3, 2021, 4:36am

Please share your @auth rule and graphql request. It should not be rejected if the auth header is not there, but your results should be empty, as the rule will fail, not the request.

Kim_Easton · April 3, 2021, 8:56pm

Hi, my query is the generated queryTask query (from the tutorials in the documentation). My fetch request is:
fetch(
‘https://.aws.cloud.dgraph.io/graphql’,
{
method: ‘POST’,
headers: {
‘Content-Type’: ‘application/json’,
},
body: JSON.stringify({
query: this.operationsDoc,
})
I’m not talking about applying specific authorisation rules against queries and mutations in the schema - I have none defined at this point of my jedi-training. I’m looking at authentication of users against firebase so that any request hitting my graphql backend is effectively rejected (i.e, error and empty result) if the firebase token is missing, invalid, expired etc. I can do this as stated above with the following in the schema:

Dgraph.Authorization {“Header”:“Firebase-Token”,“Namespace”:“test”,“JWKURL”:“https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com",“Audience”:["my-project”]}

If I include my firebase token in the headers I get the expected result - an empty results set and appropriate error, but excluding the token from the header as above returns the query results. I understand from earlier posts that there is an official firebase authentication example/tutorial in the works - is there an eta?

jdgamble555 · April 3, 2021, 9:37pm

It sounds like you understand the process fine. However, you do not want it to reject a query with no header. If a user is not logged in, you should be able to query public data. You must use @auth rules to secure data for only users that are logged in, or with certain roles etc. If you want to secure all data, simply make @auth rules on all types.

I just updated a quick reference on this: Firebase Authentication - RBAC - Role Based Access Control

minhaj · April 5, 2021, 10:39am

Hey @Kim_Easton, you need to add ClosedByDefault: true in your authorization header.
Please see this.
Then it will allow user to query data if only valid jwt is passed along with the Authorization Header.

Kim_Easton · April 10, 2021, 10:42pm

Exactly what I was after, Thanks!

Topic		Replies	Views
Using Auth rules in Dgraph Cloud / Slash GraphQL when running the Firebase Emulator Dgraph Cloud kind:question , auth	1	580	May 2, 2021
Support Firebase JWT token verification GraphQL status:accepted , kind:feature , area:graphql , ticket:created	39	4108	January 18, 2021
Firebase authentication and Slash GraphQL example and a tutorial? Dgraph Cloud kind:question	0	538	January 22, 2021
Firebase Authentication - RBAC - Role Based Access Control Dgraph Cloud slash-graphql , dgraph	10	2897	June 4, 2021
Putting it All Together - Dgraph Authentication, Authorization, and Granular Access Control (PART 3) - Dgraph Blog Blog	0	747	October 9, 2020

Firebase authentication and Slash GraphQL

Dgraph.Authorization {“Header”:“Firebase-Token”,“Namespace”:“test”,“JWKURL”:“https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com",“Audience”:["my-project”]}

Related Topics