Implemented? Queries Closed by default

mortenalbertsen · February 3, 2021, 9:07pm

Hi DGraph team!

I was somewhat shocked to learn that Dgraph queries are readable by default by anyone with knowledge of the URL of my Slash GraphQL instance.
I read in a comment that you would implement such that all queries/mutations are - instead - closed by default, in a future version. Do you recognize what I’m talking about? If so, when will that be implemented

For my use-case, I do not wish to allow users to query the DGraph database directly from clientside, but instead I wish a backend to query the DGraph database, on behalf of the users.

This is what I wish to achieve
[Clients] <–> [HTTP Backend, written by me] <—> [DGraph database]
Only the backend should be able to - using a set of credentials - to read/write to the Slash DGraph database

To make my question clear: How do I make all queries and mutations closed by default? Has it been implemented?

dmai · February 3, 2021, 9:42pm

Closed-by-default functionality was added in Dgraph v20.11 in this PR:

github.com/dgraph-io/dgraph

Feat(GraphQL): This PR adds auth switch in GraphQL authorization header.

dgraph-io:master ← dgraph-io:jatin/GRAPHQL-713

opened 10:54AM - 22 Oct 20 UTC

JatinDev543

+630 -71

Fixes GRAPHQL-713 This PR adds auth switch `closedByDefault` in graphql author…ization header which can be turned on to apply jwt checking on types that don't have auth directive.  --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/dgraph-io/dgraph/6779) Docs Preview: [<img src="https://bl.ocks.org/prashant-shahi/raw/3a9f99bec84231cfe3c0e82cf883f159/0e588d908ad8c8b10958b87ebdd2ba68779ccf4f/dgraph.svg" height="34" align="absmiddle" alt="Dgraph Preview"/>](https://dgraph-e367f6a45a-105207.surge.sh)

You can set the "ClosedByDefault": true in the # Dgraph.Authorization object in your schema to require auth even if @auth isn’t specified on a type: https://dgraph.io/docs/master/graphql/authorization/authorization-overview/

mortenalbertsen · February 3, 2021, 9:58pm

Thanks for the answer
FYI: The link you’re referring to doesn’t not mention your solution though

dmai · February 3, 2021, 10:02pm

@mortenalbertsen You’re right. We’re working on the docs for that. It’ll be live soon.

dmai · February 4, 2021, 8:40pm

@mortenalbertsen The docs for ClosedByDefault are now live.

Topic		Replies	Views
Beginner question: Connecting to Dgraph directly from the front-end App Development discussion , kind:question	7	1630	November 14, 2020
GraphQL+- on Slash! Dev slash	3	637	July 9, 2020
How can I use Slash Dgraph as a database for my backend? Dgraph Cloud	6	618	February 10, 2021
Slash GraphQL Release March 9th 2021 Announce release	6	1037	March 9, 2021
Overview - Slash graphql Documentation	0	315	August 28, 2020

Implemented? Queries Closed by default

Related Topics