Support DQL variables in mutations

diggy · January 18, 2020, 11:27pm

Moved from GitHub dgraph/4615

Posted by F21:

Experience Report

What you wanted to do

I want to perform a mutation in an upsert block using user-provided data safely.

What you actually did

upsert ($name: string){
      query {
        var(func: eq(xid, "http://schema.org/Person")) {
          Type as uid
        }
        var(func: eq(<http://schema.org/name>, "Robin Wright")) {
          Person as uid
        }
      }
      mutation {
          set {
           uid(Person) <xid> "https://www.themoviedb.org/person/32-robin-wright" .
           uid(Person) <http://schema.org/type> uid(Type) .
           uid(Person) <http://schema.org/name> $name .
           uid(Person) <dgraph.type> "Person" .
          }
      }
    }

Why that wasn’t great, with examples

GraphQL variables are not supported in mutations, so it’s impossible to safely mutate user-provided data without error-prone validation.

Any external references to support your case

None at the moment.

diggy · March 5, 2020, 12:22pm

miko commented :

I also support this request. The rationale is the same as for GraphQL variables in queries: https://docs.dgraph.io/query-language/#graphql-variables

diggy · March 11, 2020, 11:50pm

MichaelJCompton commented :

This looks like a reasonable feature request.

I’m tagging it as accepted, which means it will get into our backlog of features to consider.

If we decide to implement it, we’ll post an update here.

freb · November 19, 2020, 10:19am

I just ran into this as well. Do you know if there has been a decision about whether this will be implemented?

MichelDiz · November 19, 2020, 5:04pm

@hardik do you have any idea?

freb · November 20, 2020, 3:37am

Just to provide some more context. In my specific case I needed to pass a Uid variable. This is pretty easy to validate before concatenating with the query string.

In cases where the variable is some sort of free-form string originating from a client, it would be very difficult to ensure the upsert query isn’t being injected. Essentially all the same reasons GraphQL variables are supported in standard queries.

But like I said, for Uids this isn’t much of an issue beyond having to prepare the requests a little differently.

masonlr · March 31, 2021, 5:51pm

+1 for this feature.

Would it be possible to make it more clear in docs that upsert variables aren’t currently supported? (I spent a lot of time trying to debug this today when I came across the problem in pydgraph and then reproduced a minimal example using raw curl requests.)

Minimal Example

Set the schema using GraphQL:

# schema.graphql
type Project {
    id: String! @id
    name: String @search(by: [term])
    description: String @search(by: [term])
}

Create the schema:

curl -X POST localhost:8080/admin/schema --data-binary '@schema.graphql'

Create inital data:

curl -H "Content-Type: application/json" -X POST localhost:8080/mutate?commitNow=true -d $'
    {
      "set": [
        {
          "Project.id": "06b49118-a34a-4254-b1a1-49e3096676aa",
          "Project.name": "test",
          "Project.description": "test",
          "dgraph.type": "Project"
        },
        {
          "Project.id": "8296209e-9e3e-4170-892f-14ca17281eca",
          "Project.name": "test",
          "Project.description": "test",
          "dgraph.type": "Project"
        }
      ]
    }' | jq

Demonstrate the problem:

First example fails with variable

curl -H "Content-Type: application/json" -X POST localhost:8080/mutate?commitNow=true -d '
{
  "query": "query foo($id: string) { bar(func: eq(Project.id, $id )) {v as uid} }",
  "delete": {
    "uid": "uid(v)"
  },
  "variables": {"$id": "8296209e-9e3e-4170-892f-14ca17281eca"}
}' | jq

The response bar query is blank:

{
  "data": {
    "code": "Success",
    "message": "Done",
    "queries": {
      "bar": []
    },
    "uids": {}
  },
  "extensions": {
    "server_latency": {
      "parsing_ns": 44507,
      "processing_ns": 837772,
      "encoding_ns": 29162,
      "assign_timestamp_ns": 757242,
      "total_ns": 1750146
    },
    "txn": {
      "start_ts": 21328,
      "commit_ts": 21329
    }
  }
}

Second example works with a hard-coded data

curl -H "Content-Type: application/json" -X POST localhost:8080/mutate?commitNow=true -d '
{
  "query": "query foo($id: string) { bar(func: eq(Project.id, \"8296209e-9e3e-4170-892f-14ca17281eca\" )) {v as uid} }",
  "delete": {
    "uid": "uid(v)"
  },
  "variables": {"$id": "8296209e-9e3e-4170-892f-14ca17281eca"}
}' | jq

The response bar query is populated:

{
  "data": {
    "code": "Success",
    "message": "Done",
    "queries": {
      "bar": [
        {
          "uid": "0x4ec9"
        }
      ]
    },
    "uids": {}
  },
  "extensions": {
    "server_latency": {
      "parsing_ns": 85802,
      "processing_ns": 1154781,
      "encoding_ns": 50707,
      "assign_timestamp_ns": 507082,
      "total_ns": 1828617
    },
    "txn": {
      "start_ts": 21309,
      "commit_ts": 21310,
      "preds": [
        "1-Project.description",
        "1-Project.id",
        "1-Project.name",
        "1-dgraph.type"
      ]
    }
  }
}

MichelDiz · March 31, 2021, 7:27pm

Hey, this issue is to track DQL Vars on mutations. I think there is one about the RAW HTTP requests. Currently Dgo supports DQL Vars on Upsert Block. The other clients I’m not sure about.

masonlr · March 31, 2021, 7:49pm

Apologies, I thought this was relevant as the examples are using DQL queries and the mutate endpoint.

MichelDiz · March 31, 2021, 8:53pm

It is the same topic, but different things. We have a kind of support for DQL Vars in Upsert Block mutation, but there’s no concept of DQL vars in the mutation block which is the point of the user F21.

Poolshark · October 3, 2022, 1:05pm

@MichelDiz

How do we use vars inside upsert then?

jdgamble555 · October 3, 2022, 9:12pm

https://dgraph.io/docs/mutations/upsert-block/

There is also conditional upsert:

https://dgraph.io/docs/mutations/conditional-upsert/

J

MichelDiz · October 3, 2022, 11:06pm

Let’s not confuse things. This post is about DQL Vars(former GraphQL Variables). It’s not about query/Value variables. But you could use vars(Value variables) in conjunction with DQL Vars.

But we need to support this

e.g.

curl -H "Content-Type: application/rdf" -X POST localhost:8080/mutate?commitNow=true -d $'
upsert {
  query foo($value: string) {
    v as var(func: eq(something)) {
      test as string($value) #this doesn't exist
    }
  }

  mutation {
    set {
      uid(v) <other> val(test) . #you would pass the value via test variable.
    }
  }
}' | jq

Poolshark · October 4, 2022, 7:32am

@MichelDiz thanks for the answer!

Maybe I have to elaborate a bit more here. I think I know how to define the variables in a query but I have no clue how to submit/attach them with the mutation!

I’m using dql.mutate in a custom lambda and tried

dql.mutate({
  query: `query Test($uid: string) { q(func: uid($uid)) { uid }`,
  mutations:[{}],
  variables: { $uid: “0x1” }
})

But then I’m getting the error that a UID must be defined, which indicates that $uid is not getting submitted.

MichelDiz · October 4, 2022, 1:55pm

I’m afraid Upsert Mutation doesn’t support DQL variables. Because they are from the Query context. And Upsert Query is a mutation with Query characteristics. I remember there was a way to make this happen via go. But via RAW HTTP it was not. It was one thing to check and then support.

lambdas are RAW HTTP. Unless you use gRPC somehow.

Topic		Replies	Views
Using GraphQL variables in upsert mutations Users	2	867	May 23, 2020
How to set variable in mutation during upsert? Dgraph kind:question , area:upsert	5	862	November 2, 2020
Upset using variable -DQL Issues	5	307	October 7, 2021
RFC: Upsert Mutations GraphQL rfc , area:graphql	5	983	March 11, 2021
Cannot Run Upsert in Dgraph Cloud DQl UI Dgraph Cloud / Slash GraphQL area:upsert	1	667	July 15, 2021