Query auth-rules mask graphql error propagation

I’m not sure if this is intentional, but when the query part does not allow the retrieval of an object, graphql errors are being masked.

Schema:

type Foo  @auth(
    query: { rule:  "{$DENIED: { eq: \"DENIED\" } }" }
  ) {
  username: String! @id
}

Steps to reproduce:

  1. Add Foo
mutation {
  addFoo(input: [
    {
      username: "user"
    }
  ]) {
    numUids
  }
}
  1. Redo mutation with same username:
mutation {
  addFoo(input: [
    {
      username: "user"
    }
  ]) {
    numUids
  }
}

Notice how the returned data from dgraph ist just null instead of returning an error that a Foo with username==user already exists.

1 Like

Yes, this is intentional and has been done to not return any additional information in case auth rules are not satisifed.

hm, I understand that and agree.

My initial problem must be something else then. I just tried to came up with a simple enough example but the real bug might have gotten lost in that process.

Here is a slightly more complicated schema which allows queries for admins:

type Foo  @auth(
    query: {
      or: [
        { rule: "{$ROLE: { eq: \"ADMIN\" }}" }
        
            {
              rule: "query($USERNAME: String!) { queryFoo(filter: { username: {eq: $USERNAME }}) { username }}"
            }
      ]
    }
  ) {
  username: String! @id
}

# Dgraph.Authorization {"VerificationKey":"totallysecret","Header":"Auth","Namespace":"lol","Algo":"HS256"}

Admin-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2wiOnsiUk9MRSI6IkFETUlOIiwiVVNFUk5BTUUiOiJhZG1pbiJ9LCJpYXQiOjE1MTYyMzkwMjJ9.9KgpRXR-OhOBiw7Ay-VTqhitIjtHKW_Fj6cmjIO3dAo

So my guess is, that the or-rule is not correctly validated which reminds me of this.

@chewxy I think this might be related to my PM: http://discuss.dgraph.io/t/security-bug-auth-security-rule-not-honored-correctly/13372