How would I go about preventing my API from being query-able unless provided a valid token.
2 Likes
@pawan do we have enough eng resources to add some global auth switches in before 20.11.0 ? We could add a switch into the Dgraph.Authorization key that changes the behaviour of un-decorated types to be requires a JWT.
It’s possible to get the same behaviour by adding a rule like { rule: "{$isAuthenticated: {eq: \"True\"}}" } and arranging all JWTs to have that claim. But that then needs to be added for every type.
Feels like there is two valid approaches here - open by default, and closed by default.
1 Like
Yeah, that sounds like a valid one. So we could check that the JWT is valid and only then allow you to perform actions. If there were auth rules then they would be applied on top of this. Marking it as accepted and will tackle it in the upcoming sprints.