Poor man's auth in GraphQL


Users of the GraphQL API should have a secure way of exposing their Dgraph instance. Currently, even if the user has auth rules defined, GraphQL+- endpoints like /query, /mutate can override those rules. The user currently needs to use a firewall to disable access to the GraphQL+- endpoints.

User Impact

Users can expose an instance of Dgraph and use the GraphQL API without having to put them behind a firewall.


We already have Poorman’s auth which can be used to secure Admin endpoints. We can extend it to be checked for /query, /mutate endpoints as well. We still don’t to have them for the GraphQL API as it is supposed to be accessed from a web browser and a shared secret won’t work for that. This along with the changes proposed in Root @auth directives would help the user expose his GraphQL API safely. Thoughts @gja?