graphql
graphql copied to clipboard
neo4j
Type Auth policy not enforced on result from custom cypher Query/Mutations
Describe the bug
Apologies if this isn't a bug, but by design, but the behavior described here isn't the behavior I would expect.
Given a simple schema:
type UserProfile {
id: ID! @id
name: String!
}
extend type UserProfile @auth(rules: [
{ roles: ["user"], where: { id: "$jwt.sub" } }
{ roles: ["admin"] }
])
type Query {
myCustomQuery: [UserProfile] @cypher(
statement: """MATCH (userProfile:UserProfile) RETURN userProfile"""
)
}
When calling myCustomQuery, all UserProfile nodes will be returned to a "user", even through the type is annotated with @auth directives where only a subset should be returned.
Whilst it's possible for the implementer of the custom cypher query to be diligent in ensuring all auth rules declared in the schema are applied in their query, mistakes can easily be made, or auth directives could be updated without realizing the logic was duplicated. in several queries.
It would be awesome if the GraphQL library could wrap custom cypher queries in the auth logic for reading on custom Queries to ensure the declared auth rules are applied, and data doesn't leak (not sure how/if custom mutations could/should be handled).
Expected behavior I would expect the auth directives to be applied to the resolved types.
We've been able to confirm this bug using the steps to reproduce that you provided - many thanks @rcbevans! :pray: We will now prioritise the bug and address it appropriately.
Just getting around to looking at some old issues. You'll see that we've re-labelled this as a feature request - this was never really intended to work as you were always "rolling your own" when using custom Cypher. However, it could be an interesting feature to add in future.
Ahead of refactoring how custom Cypher works (moving away from apoc.cypher.runFirstColumn), we'll put this one on hold to see how that work pans out first.