When to use which headers

gotjoshua · September 15, 2020, 4:23pm

In my recent attempts to understand dgraph and the rich man and poor man’s auth options i came across an issue with http request headers and cors.

I realized that I’m not sure about when to use the various headers that are currently accepted by the alpha servers’ http endpoints.

Here is the list of all currently accepted access-control-allow-headers:

Content-Length, Accept-Encoding, Cache-Control, (these 3 i’ll ignore for now)

X-Dgraph-AccessToken : used for rich man’s ACL auth (in dgraph-js-http = ACL_TOKEN_HEADER via the login function )

X-Auth-Token: apparently used with slash api (in dgraph-js-http = SLASH_API_KEY_HEADER)

X-CSRF-Token : Cross-Site Request Forgery (not found in dgraph-js-http)

X-Requested-With: Somehow related to CSRF

Content-Type: I’m not sure which content type is best for which type of request to which endpoint - i’d love to see a table about this including alter/, admin/, query/, mutate/, graphql/, etc… the docs have some examples but no consolidated overview…

One header that is missing in the alpha allow list is:
X-Dgraph-Auth-Token: this is needed for securing alter operations (in dgraph-js-http = ALPHA_AUTH_TOKEN_HEADER)

Specific Questions:
X-CSRF-Token, X-Requested-With : Is it true that they are allowed but never checked by dgraph? so basically unusable?

When I want to use the @auth GraphQL directives, which is the recommended header for the JWT ?

chewxy · September 15, 2020, 7:18pm

@gotjoshua I’m sorry you’re getting a bit confused on this. It is rather confusing. Perhaps the client owners (@paras, @apoorv-kumar, @abhimanyusinghgaur, @paulftw, @gja ) would know

p/s: This seems like something we should have better docs for. Perhaps some enumerations? @mjc

gotjoshua · September 15, 2020, 8:08pm

Thanks for the reply (and compassion) @chewxy !

I am happy to work on some PRs for docs, but I need to wrap my head around the whole thing first ; )

gja · September 16, 2020, 8:28am

Yes, X-Auth-Token is specific to Slash GraphQL. It’s the only header that Slash GraphQL uses for authentication / authorization for admin functionality (creating / updating databases, etc…)

Any header that you put in the auth magic comment will be added to the Access-Control-Allow-Headers header, so you can use any header you’d like. X-Auth-Token is one we see commonly used.

I believe these two are unused in dgraph itself.

Topic		Replies	Views
Concerns about authentication/authorization in DGraph with GraphQL endpoint Dgraph Cloud kind:question , auth , status:accepted	4	1075	September 24, 2020
Putting it All Together - Dgraph Authentication, Authorization, and Granular Access Control (PART 2) - Dgraph Blog Blog	12	1494	January 15, 2022
Authentication mechanism for all Dgraph versions App Development auth	1	588	March 31, 2021
Any client sample for user authentication Dgraph kind:question , auth	1	426	September 28, 2020
JWT authentication Dgraph dgraph , status:accepted , status:needs-attenti , kind:feature , status:more-info-nee	1	933	May 5, 2020

When to use which headers

Related Topics