Field-level authorization is skipped when using aliases

[dagnello]

Component(s)

router

Component version

v2.0.0-rc.170

wgc version

0.78.1

controlplane version

0.137.0

router version

0.200.0

What happened?

Description

Field-level authorization using @requiresScopes can be bypassed if the field is accessed via an alias in the query. This occurs due to a bug in how the GraphCoordinate (resolvable.go) is computed during field authorization in the underlying graphql-go-tools package.

An issue was created in the graphql-go-tools repo as well: 1131

fieldName := unsafebytes.BytesToString(field.Name)

Steps to Reproduce

1. Define a protected field in a subgraph:

type Query {
  user(id: String!): User @requiresScopes(scopes: [["read:users"]])
}

2. Call the query without the required scope:

user(id: "u123") {
  firstName
}

→ This is correctly blocked.

3. Call the same query with an alias:

user1: user(id: "u123") {
  firstName
}

→ This bypasses the scope check and returns data.

Expected Result

The second query should be blocked just like the first. Aliasing the field name should not affect the authorization checks.

Actual Result

Aliased queries bypass field-level authorization because field.Name reflects the alias, not the schema field name.

Environment information

Environment

Router configuration

Router execution config

Log output

Additional context

No response