In my recent attempts to understand dgraph and the rich man and poor man’s auth options i came across an issue with http request headers and cors.
I realized that I’m not sure about when to use the various headers that are currently accepted by the alpha servers’ http endpoints.
Here is the list of all currently accepted access-control-allow-headers:
Content-Length, Accept-Encoding, Cache-Control, (these 3 i’ll ignore for now)
X-Dgraph-AccessToken : used for rich man’s ACL auth (in dgraph-js-http = ACL_TOKEN_HEADER via the login function )
X-Auth-Token: apparently used with slash api (in dgraph-js-http = SLASH_API_KEY_HEADER)
X-CSRF-Token : Cross-Site Request Forgery (not found in dgraph-js-http)
X-Requested-With: Somehow related to CSRF
Content-Type: I’m not sure which content type is best for which type of request to which endpoint - i’d love to see a table about this including alter/, admin/, query/, mutate/, graphql/, etc… the docs have some examples but no consolidated overview…
X-CSRF-Token, X-Requested-With : Is it true that they are allowed but never checked by dgraph? so basically unusable?
When I want to use the @auth GraphQL directives, which is the recommended header for the JWT ?