I am using Dgraph cloud and am currently adding various security layers to prevent maliscious attacks. I built a social network and chose Dgraph to manage the deep relationships between users. However, now that I am trying to implement security rules on the backend, I am starting to struggle. There are a number of things that I would need to confidently publish my app:
- Field authorization
An example for this would be private users. While the frontend will not display content stemming from private users, I want to secure private users’ posts on the backend as well. This means that first of all, private users’ posts should not be visible to the public, unless a private user accepted a follow request. To implement this, combined with general authorization, I believe I need some kind of nested auth rules.
When setting my auth rules like this, an authenticated user can query their own profile, and users that are not private. However, I only want to hide private users’ posts, so that their profile would still be returned for basic search operations, like searching for a user by username. How can I add further rules to prevent private users’ posts from being queried, while the rest of their profile can be retrieved?
type User @auth(
query: { rule: """
query($USER: String!) {
queryUser(filter: { email: { eq: $USER}, or: {isPrivate: false}},) {
username
}
}"""}){
username: String
posts: [Post]
followers:[User]
}
Also, is there away to generally secure the endpoint so that non-authorized users cannot retrieve any data at all?
-
Followers
To specify this even more, I would like to add an exception to the just mentioned rule, if a user is private, but the requesting user’s ID is included in the private user’s followers? -
Securing API keys
This more general question is concerned with securing API keys. As an added layer of security, want to disable anonymous access, but I am unsure where to store my client API key. As the main platforms will be iOS and Android, I would not want to ship my API key to the client side code. Does Dgraph have solutions for securely storing API keys in the cloud, so that every query first reaches out to grab the API key from a secure storage that is never visible to the client side and is only accessible to authorized users, but also never leaves the server? -
Spam protection
Besides securing private users’ data, my main concern are spam attacks that request enormous amounts of data, driving up the bill at the end of the month. Does Dgraph cloud have its own spam protection to prevent such things from happening?
I would appreciate some guidance regarding my securtiy concerns, and dgraph security best practices.