I think you’re misunderstanding how @auth directive works in Dgraph. Keep in mind I can’t speak for how it is implemented under-the-hood in other databases.
The @auth directive is actually handled on the server. It is not middleware, as a long time ago, the Dgraph team, for better or worse, decided to put the core code right next to the core dql code. I can confirm this, as I have dug deep into the core graphql code.
The @auth does not get triggered, and then your final query gets triggered separately. In fact, it compiles with your query, as an extra filter. This means it is faster, and you ultimately just have one filter. If I look for todos, my @auth is going to filter for todos I have access to form the beginning, hence never over-fetching, and then filtering those results.
It is actually pretty powerful and remarkable. There are definitely issues with implementing complex @auth directives in large schemas, there are some missing features etc, but it ultimately doesn’t slow down your code any more than necessary.
FWI: This is exactly how postgres policies work and compile.
I used to think this way, until I realized how big the Graph Database community is. A lot of people want something different than neo4j, and they don’t care about GraphQL. Dgraph is ultimately both a Firebase (Hasura) competitor and a neo4j competitor, and there sometimes isn’t a lot of overlap. I also suspect the Graph Database users (analytics etc) are the ones giving Dgraph the most money. There are also people in between who like and use both of course. Either way, I can tell you from many conversations on here, Dgraph isn’t quite sure the percentages, but they are certain who gives them money. This could have changed, however, in the last two years, but I doubt it. I could be wrong, but this is what I have gathered from the old active community.
Most of the features I believe Dgraph needs, won’t add any more logic to the Schema itself. @custom dql queries are the equivalent to @execute btw.
There have been many posts about separating the @auth rules into another file. I think this would be a good idea. First thing is first and get a new version up and running knocking out some of these huge bugs (as well as things like pre-hooks).
J