Query auth-rules mask graphql error propagation

maaft · April 6, 2021, 2:37pm

I’m not sure if this is intentional, but when the query part does not allow the retrieval of an object, graphql errors are being masked.

Schema:

type Foo  @auth(
    query: { rule:  "{$DENIED: { eq: \"DENIED\" } }" }
  ) {
  username: String! @id
}

Steps to reproduce:

Add Foo

mutation {
  addFoo(input: [
    {
      username: "user"
    }
  ]) {
    numUids
  }
}

Redo mutation with same username:

mutation {
  addFoo(input: [
    {
      username: "user"
    }
  ]) {
    numUids
  }
}

Notice how the returned data from dgraph ist just null instead of returning an error that a Foo with username==user already exists.

amaster507 · April 6, 2021, 2:36pm

rajas · April 6, 2021, 3:08pm

Yes, this is intentional and has been done to not return any additional information in case auth rules are not satisifed.

maaft · April 6, 2021, 3:25pm

hm, I understand that and agree.

My initial problem must be something else then. I just tried to came up with a simple enough example but the real bug might have gotten lost in that process.

Here is a slightly more complicated schema which allows queries for admins:

type Foo  @auth(
    query: {
      or: [
        { rule: "{$ROLE: { eq: \"ADMIN\" }}" }
        
            {
              rule: "query($USERNAME: String!) { queryFoo(filter: { username: {eq: $USERNAME }}) { username }}"
            }
      ]
    }
  ) {
  username: String! @id
}

# Dgraph.Authorization {"VerificationKey":"totallysecret","Header":"Auth","Namespace":"lol","Algo":"HS256"}

Admin-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2wiOnsiUk9MRSI6IkFETUlOIiwiVVNFUk5BTUUiOiJhZG1pbiJ9LCJpYXQiOjE1MTYyMzkwMjJ9.9KgpRXR-OhOBiw7Ay-VTqhitIjtHKW_Fj6cmjIO3dAo

So my guess is, that the or-rule is not correctly validated which reminds me of this.

amaster507 · April 6, 2021, 3:28pm

@chewxy I think this might be related to my PM: https://discuss.dgraph.io/t/security-bug-auth-security-rule-not-honored-correctly/13372