But what has that to do with previous conversations?
If I find more time I will try to dig deeper into this to understand better what is going on. I assume that when a GraphQL schema gets deployed and the DQL schema gets generated, the DQL schema then simply doesn’t get the @auth rules since there is simply no way to do that in DQL (unless I’ve missed sth.). However, since all gets rewritten in DQL the same rewritten @auth queries could get attached to “nodes” which represent the dgraph.type when querying via DQL. But yes, this would be a bit weird to do and obviously a bit hacky.
The question now got even more interesting: If DQL does not respect @auth rules then why even attaching the X-Auth-Token to DQL requests? And what (if there is any) is that process.env.DGRAPH_TOKEN ?