maaft
April 6, 2021, 2:10pm
1
I’m not sure if this is intentional, but when the query part does not allow the retrieval of an object, graphql errors are being masked.
Schema:
type Foo @auth(
query: { rule: "{$DENIED: { eq: \"DENIED\" } }" }
) {
username: String! @id
}
Steps to reproduce:
Add Foo
mutation {
addFoo(input: [
{
username: "user"
}
]) {
numUids
}
}
Redo mutation with same username:
mutation {
addFoo(input: [
{
username: "user"
}
]) {
numUids
}
}
Notice how the returned data from dgraph ist just null
instead of returning an error that a Foo
with username==user
already exists.
rajas
(Rajas Vanjape)
April 6, 2021, 3:08pm
3
Yes, this is intentional and has been done to not return any additional information in case auth rules are not satisifed.
maaft
April 6, 2021, 3:17pm
4
hm, I understand that and agree.
My initial problem must be something else then. I just tried to came up with a simple enough example but the real bug might have gotten lost in that process.
Here is a slightly more complicated schema which allows queries for admins:
type Foo @auth(
query: {
or: [
{ rule: "{$ROLE: { eq: \"ADMIN\" }}" }
{
rule: "query($USERNAME: String!) { queryFoo(filter: { username: {eq: $USERNAME }}) { username }}"
}
]
}
) {
username: String! @id
}
# Dgraph.Authorization {"VerificationKey":"totallysecret","Header":"Auth","Namespace":"lol","Algo":"HS256"}
Admin-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2wiOnsiUk9MRSI6IkFETUlOIiwiVVNFUk5BTUUiOiJhZG1pbiJ9LCJpYXQiOjE1MTYyMzkwMjJ9.9KgpRXR-OhOBiw7Ay-VTqhitIjtHKW_Fj6cmjIO3dAo
So my guess is, that the or
-rule is not correctly validated which reminds me of this .
amaster507
(Anthony Master)
April 6, 2021, 3:28pm
5