Query security

FreeRoss · March 2, 2021, 9:48am

Is the following statement correct?:

The only way security (requiring a token) can be applied to a query is if it has a corresponding UDF and an assigned role?

thanks …

databrecht · March 9, 2021, 4:29pm

No that does not seem correct to me.

There are multiple ways to secure a query with roles.

A role can be assigned to a Key.
A role can deliver permissions to a Token, Tokens are linked to a document and that document can be part of the membership of the role in which case the token receives the priviliges of the role (https://docs.fauna.com/fauna/current/security/abac.html).
A function can receive a role upon creation.

With the introduction of AccessProviders there are actually more ways now to use roles related to third-party auth (Fauna | The distributed serverless database)

What is a correct statement though is:

“The only way to make sure that a user can only execute exactly the query you want him to execute is by using UDFs”

Roles define permissions with which you can precisely lock down which documents or indexes a user can access. Adding a UDF with a role lets you encapsulate what the query can contain.

Topic		Replies	Views
Setting a role on the UDF vs. the User Help authentication , best-practices	6	1212	May 4, 2021
Read restriction. (field level) Help fql , best-practices	4	280	June 21, 2022
Role for User vs. Role for UDF called by User Help	5	580	May 18, 2021
Inconsistent security behavior when using UDFs with GraphQL Help graphql , udfs , abac	12	1039	April 11, 2022
Determine Roles of a specific User Help fql , best-practices	3	651	January 11, 2022

Query security

No that does not seem correct to me.

What is a correct statement though is:

Related topics