Feature: Prevent any unauthorised user/session from running any query

[Jayuda]

Describe the bug

I have run surrealdb started with root user and password. Server running well but, i hit via rest API that not include username password still can acess query.

Output from surreal :

[2022-09-01 09:28:19] INFO  surrealdb::iam Root authentication is enabled
[2022-09-01 09:28:19] INFO  surrealdb::iam Root username is 'userdb'
[2022-09-01 09:28:19] INFO  surrealdb::dbs Database strict mode is enabled
[2022-09-01 09:28:19] INFO  surrealdb::kvs Connecting to kvs store at tikv://192.23.192.212:2079
[2022-09-01 09:28:19] INFO  surrealdb::kvs Connected to kvs store at tikv://192.23.192.212:2079
[2022-09-01 09:28:19] INFO  surrealdb::net Starting web server on 0.0.0.0:8000
[2022-09-01 09:28:19] INFO  surrealdb::net Started web server on 0.0.0.0:8000

Steps to reproduce

Start surreal db with :

surreal start --strict --log trace --user userdb --pass userdb123 tikv://192.23.192.212:2079

select from HTTP REST API without username and password :

curl -X POST \                                                                                                                                 04:28:11 PM
         -H "NS: myapplication" \
         -H "DB: myapplication" \
         -H "Content-Type: application/json" \
         -d "SELECT * FROM time::day('2021-11-01T08:30:17+00:00');" \
         http://192.23.192.210:8000/sql

Work with result :

[{"time":"957.355µs","status":"OK","result":[1]}]

If i query to some table, the authentication works, for example :

curl -X POST \                                                                                                                                 04:28:11 PM
         -H "NS: myapplication" \
         -H "DB: myapplication" \
         -H "Content-Type: application/json" \
         -d "SELECT * FROM person WHERE age > 18" \
         http://192.23.192.210:8000/sql

The output is :

{"code":403,"details":"Authentication failed","description":"Your authentication details are invalid. Reauthenticate using valid authentication parameters.","information":"There was a problem with authentication"}%

Expected behaviour

Request Not Authenticated

SurrealDB version

1.0.0-beta.7

Contact Details

Is there an existing issue for this?

• I have searched the existing issues

Code of Conduct

• I agree to follow this project's Code of Conduct

[tobiemh]

Hey @Jayuda thanks so much for this issue submission 👍. We've actually been discussing this on the SurrealDB Discord.

The database currently allows connecting and querying from unauthenticated users (albeit they won't be able to see data which has not been allowed using PERMISSIONS).

We're thinking about adding in functionality to only allow requests from AUTHENTICATED user sessions, and to deny UNAUTHENTICATED sessions. This means a developer/user of SurrealDB would. be able to completely disallow any unauthenticated session from running any query (even those that don't actually query table data, like the example you gave).

[Jayuda]

thanks for responding to this issue. hopefully it can be added soon so that surrealdb can be more stable and secure.

[tobiemh]

It is now possible to completely deny access to anonymous and unauthenticated users with #2547, and in addition it's now possible to set the function and query capabilities of a SurrealDB instance with #2489 🚀 🎉 😃 !