I would like to whitelist [or whatever the politically correct wording of that is nowadays] access to specific graphql mutations/queries for all users.
As Dgraph autogenerates CRUD interfaces for everything, I’d like to clamp down on that and only expose things i decide should be exposed.
How would i go about doing that?
Look at the docs for the @auth directive.
Which part, specifically? I seem to have missed it.
Here are the @auth docs.
You can form appropriate JWT token, and pass it to the GraphQL API, which will decide based on that token whether someone can perform the query/mutation they are trying to do. So, if you don’t want all your users to have access to certain queries/mutations, then you can have a schema with auth rules like this:
type Country @auth(
query: { rule: "{$ROLE: { eq: \"ADMIN\"}}"},
add: { rule: "{$ROLE: { eq: \"ADMIN\"}}"},
update: { rule: "{$ROLE: { eq: \"ADMIN\"}}"},
delete: { rule: "{$ROLE: { eq: \"ADMIN\"}}"}
){
id: ID!
name: String! @search(by: [hash])
}
Then just don’t issue your users a JWT token containing ROLE as ADMIN, and they won’t be able to perform any query/mutation for type Country.
We are in the process of updating our docs at present, so expect better docs in a couple of days.