Role based access control rules are not working in DGraph Cloud

Hello,

I’ve been setting up security for my database this week with the @auth directive and I’m noticing some rules are not being evaluated correctly in DGraph Cloud. Namely, the ones in the last section of auth docs. At first I though I wasn’t setting up auth correctly either in the # DGraph.Authorization line or in my front end, but I was able to get it working using the rules that actually contain a query. I’ll explain below what I’ve done so far:

When using this rule:

@auth(
    query: { rule: """
        query ($USER: String!) { 
            queryUser(filter: {
              or: [
                { email: { eq: $USER } },
              	{not: {email: {eq: $USER}}}
              ]
            }) { 
                id 
            } 
        }"""
    }
) 

I’m able to get results from my back end

However, when switching to this rule:

@auth(
	query: { rule:  "{$isAuthenticated: { eq: \"true\" } }" },
)

I get no results.

I’ve also been able to decode my token and verify that the corresponding claims are indeed present.

I know I can replace the $isAuthenticated rule with the other one containing a query, but I’d prefer using the former one due to its readability.

I already opened a support ticket but I figured I’d post it here in case someone else runs into this issue in the future. I was wondering if maybe the DGraph version running on DGraph Cloud doesn’t support this yet but was told by support it does. Any suggestions are highly appreciated.

So your rule by itself doesn’t make sense. You should be checking the value of the variable against the db field, not the value of the variable against another value

This auth runs your jwt value against db →

@auth(
    query: { rule: """
        query ($isAuthenticated: Boolean!, $UserId: Int! ) { 
            queryUser(filter: {
              or: [
                { userID: { eq: $UserId } },
              	{and : [ { validUser: {eq: $isAuthenticated} },{ validUser: {eq: true}  ]}
              ]
            }) { 
                id 
            } 
        }"""
    }
) 

A good rule of thumb for writing rules is that your rules should be valid queries by themselves.

Refer to the last part of the auth docs. It has the exact same rule I tried to use.

I want authenticated users to be able to query other users.

This looks like a data mismatch ( jwt sends boolean, dgraph auth does string comparision)

1 Like

Yup, that was it. Thanks!