When to use which headers

In my recent attempts to understand dgraph and the rich man and poor man’s auth options i came across an issue with http request headers and cors.

I realized that I’m not sure about when to use the various headers that are currently accepted by the alpha servers’ http endpoints.

Here is the list of all currently accepted access-control-allow-headers:

Content-Length, Accept-Encoding, Cache-Control, (these 3 i’ll ignore for now)

X-Dgraph-AccessToken : used for rich man’s ACL auth (in dgraph-js-http = ACL_TOKEN_HEADER via the login function )

X-Auth-Token: apparently used with slash api (in dgraph-js-http = SLASH_API_KEY_HEADER)

X-CSRF-Token : Cross-Site Request Forgery (not found in dgraph-js-http)

X-Requested-With: Somehow related to CSRF

Content-Type: I’m not sure which content type is best for which type of request to which endpoint - i’d love to see a table about this including alter/, admin/, query/, mutate/, graphql/, etc… the docs have some examples but no consolidated overview…

One header that is missing in the alpha allow list is:
X-Dgraph-Auth-Token: this is needed for securing alter operations (in dgraph-js-http = ALPHA_AUTH_TOKEN_HEADER)

Specific Questions:
X-CSRF-Token, X-Requested-With : Is it true that they are allowed but never checked by dgraph? so basically unusable?

When I want to use the @auth GraphQL directives, which is the recommended header for the JWT ?

@gotjoshua I’m sorry you’re getting a bit confused on this. It is rather confusing. Perhaps the client owners (@paras, @apoorv-kumar, @abhimanyusinghgaur, @paulftw, @gja ) would know

p/s: This seems like something we should have better docs for. Perhaps some enumerations? @mjc

1 Like

Thanks for the reply (and compassion) @chewxy !

I am happy to work on some PRs for docs, but I need to wrap my head around the whole thing first ; )

Yes, X-Auth-Token is specific to Slash GraphQL. It’s the only header that Slash GraphQL uses for authentication / authorization for admin functionality (creating / updating databases, etc…)

Any header that you put in the auth magic comment will be added to the Access-Control-Allow-Headers header, so you can use any header you’d like. X-Auth-Token is one we see commonly used.

I believe these two are unused in dgraph itself.

1 Like