Query security

Is the following statement correct?:

The only way security (requiring a token) can be applied to a query is if it has a corresponding UDF and an assigned role?

thanks …

No that does not seem correct to me.

There are multiple ways to secure a query with roles.

  • A role can be assigned to a Key.
  • A role can deliver permissions to a Token, Tokens are linked to a document and that document can be part of the membership of the role in which case the token receives the priviliges of the role (Attribute-based access control (ABAC) | Fauna Documentation).
  • A function can receive a role upon creation.

image

With the introduction of AccessProviders there are actually more ways now to use roles related to third-party auth (Setting up SSO authentication in Fauna with Auth0)

What is a correct statement though is:

“The only way to make sure that a user can only execute exactly the query you want him to execute is by using UDFs”

Roles define permissions with which you can precisely lock down which documents or indexes a user can access. Adding a UDF with a role lets you encapsulate what the query can contain.

1 Like