Poor man's auth in GraphQL

pawan · July 13, 2020, 11:49am

Motivation

Users of the GraphQL API should have a secure way of exposing their Dgraph instance. Currently, even if the user has auth rules defined, GraphQL+- endpoints like /query, /mutate can override those rules. The user currently needs to use a firewall to disable access to the GraphQL+- endpoints.

User Impact

Users can expose an instance of Dgraph and use the GraphQL API without having to put them behind a firewall.

Implementation

We already have Poorman’s auth which can be used to secure Admin endpoints. We can extend it to be checked for /query, /mutate endpoints as well. We still don’t to have them for the GraphQL API as it is supposed to be accessed from a web browser and a shared secret won’t work for that. This along with the changes proposed in Root @auth directives would help the user expose his GraphQL API safely. Thoughts @gja?

Topic		Replies	Views
Add Poor-man’s auth to Ratel UI Ratel status:accepted , kind:feature , ratel	1	908	February 26, 2021
Disable Alpha endpoints via commandline flags Dgraph auth , status:accepted , kind:feature , ticket:created	1	744	September 30, 2020
We have a foe among friends GraphQL	16	1913	July 13, 2020
DQL queries need to respect GraphQL @auth rules Dgraph auth , dgraph , area:security	7	1651	October 1, 2020
Concerns about authentication/authorization in DGraph with GraphQL endpoint Dgraph Cloud kind:question , auth , status:accepted	4	1198	September 24, 2020

Poor man's auth in GraphQL

Motivation

User Impact

Implementation

Related

Related Topics