I’ve been working on a project for a kinda social network application that has GO backend service and VUE+NUXT frontend service that was using MySQL but we have decided to migrate this to dgraph so graphql. When after we have decided to use vue nuxt apollo to connect dgraph from frontend to dgraph directly, we have thought that won’t expose the mutations/query endpoint + data to the users so they can mutate however they want.
Let’s say you are seeing a users profile;
if you are a friend of him, you can see the whole profile so the query will call every information of the user
if you are not a friend of him, you can see just name surname, and profile photo so the query will call just these data.
by putting if/else I can separate these queries in the frontend and calls to dgraph but users can call the query themselves (with token, endpoint, etc) and they will get all information?
How can I stop that kind of authorization problem?
Or it will be better to fetch the data from API that it fetches from the graphql ?
I think you can either wait on support for field level auth() or put the information you want to protect in a seperate object and then protectt that object with a rule. But that is not a a super great solution.
We are still waiting on the DGraph Team to come up with a solution to the backend security concerns with a timeframe. I have posted several posts about it, and have not gotten an answer on their plans yet. There are many posts about this.
Field Level Auth was on the 21.03 Roadmap, and later changed, so I imagine it will be in 21.07.
However, there are some hacks you can do for now (see my above post as well)…
As well as @lambda custom mutations…, or out sourcing the checks with custom resolvers…