Feat: Limit results using @auth directive

[benwoodward]

This has been discussed on the forums here: https://discuss.dgraph.io/t/bug-cannot-limit-number-of-results-using-auth-directive-to-prevent-malicious-queries/14828

Dgraph's GraphQL allows you to use filters in @auth directive queries, and they can be applied when no JWT is supplied. For example, you want to allow unauthenticated users to view isPublic: true Todos:

type Todo @auth(
    query: { or: [
        # you are the author 
        { rule: ... },
        # or, the todo is marked as public
        { rule: """query { 
            queryTodo(filter: { isPublic: { eq: true } } ) { 
                id 
            } 
        }"""}
    ]}
) { 
    ...
    isPublic: Boolean
}

However, in order to replicate functionality that exists in https://ghost.org/ blogs, where users have access to differing amounts of content depending on their logged in status and membership status, then I'd need to be able to supply an @auth directive query that makes use of first: <n> query parameters. For example:

type Todo @auth(
    query: { or: [
        # you are the author 
        { rule: ... },
        # or, the todo is marked as public
        { rule: """query(first: 10) { 
            queryTodo(filter: { isPublic: { eq: true } } ) { 
                id 
            } 
        }"""}
    ]}
) { 
    ...
    isPublic: Boolean
}

What I’d like to do is:

• If a user is not logged in, i.e. no JWT provided, then they can only query for the first 10 items
• If a user is logged in, then they can query for the first 100 items
• If a user is logged in and a member, then they can query for all items

Currently I can't do that via GraphQL.

[github-actions]

This issue has been stale for 60 days and will be closed automatically in 7 days. Comment to keep it open.