When to use which headers

gotjoshua · September 15, 2020, 4:23pm

In my recent attempts to understand dgraph and the rich man and poor man’s auth options i came across an issue with http request headers and cors.

I realized that I’m not sure about when to use the various headers that are currently accepted by the alpha servers’ http endpoints.

Here is the list of all currently accepted access-control-allow-headers:

Content-Length, Accept-Encoding, Cache-Control, (these 3 i’ll ignore for now)

X-Dgraph-AccessToken : used for rich man’s ACL auth (in dgraph-js-http = ACL_TOKEN_HEADER via the login function )

X-Auth-Token: apparently used with slash api (in dgraph-js-http = SLASH_API_KEY_HEADER)

X-CSRF-Token : Cross-Site Request Forgery (not found in dgraph-js-http)

X-Requested-With: Somehow related to CSRF

Content-Type: I’m not sure which content type is best for which type of request to which endpoint - i’d love to see a table about this including alter/, admin/, query/, mutate/, graphql/, etc… the docs have some examples but no consolidated overview…

One header that is missing in the alpha allow list is:
X-Dgraph-Auth-Token: this is needed for securing alter operations (in dgraph-js-http = ALPHA_AUTH_TOKEN_HEADER)

Specific Questions:
X-CSRF-Token, X-Requested-With : Is it true that they are allowed but never checked by dgraph? so basically unusable?

When I want to use the @auth GraphQL directives, which is the recommended header for the JWT ?

chewxy · September 15, 2020, 7:18pm

@gotjoshua I’m sorry you’re getting a bit confused on this. It is rather confusing. Perhaps the client owners (@paras, @apoorv-kumar, @abhimanyusinghgaur, @paulftw, @gja ) would know

p/s: This seems like something we should have better docs for. Perhaps some enumerations? @mjc

gotjoshua · September 15, 2020, 8:08pm

Thanks for the reply (and compassion) @chewxy !

I am happy to work on some PRs for docs, but I need to wrap my head around the whole thing first ; )

gja · September 16, 2020, 8:28am

Yes, X-Auth-Token is specific to Slash GraphQL. It’s the only header that Slash GraphQL uses for authentication / authorization for admin functionality (creating / updating databases, etc…)

Any header that you put in the auth magic comment will be added to the Access-Control-Allow-Headers header, so you can use any header you’d like. X-Auth-Token is one we see commonly used.

I believe these two are unused in dgraph itself.

Topic		Replies	Views
@auth, cors, securing alter operations, and request headers Dgraph kind:question , auth , area:security , ticket:created , cors	6	1515	January 15, 2021
Passing x-auth0-token while using dgraph-js-http Dgraph Clients kind:question	3	707	October 17, 2020
Update package for dgraph-js-http Dgraph dgraph , dgraph-js-http , dgraph-js	7	983	September 27, 2020
Passing HTTP headers for @lambda GraphQL kind:question , kind:enhancement	7	1859	January 31, 2021
Concerns about authentication/authorization in DGraph with GraphQL endpoint Dgraph Cloud kind:question , auth , status:accepted	4	1198	September 24, 2020

When to use which headers

Related topics