@Jan-Niclas_Gladbach what problem are you having? Just trying to use a password fields to write an auth rule? I would be careful about using it in a @auth rule, because that means the password would be in your jwt as clear text always. I would write a mutation script that checls the password using that query not in an auth rule and generate a jwt token that is authorized but does not contain the password. I wrote some articles around this 
For simplicity I didn’t use the password field or specially generated functions to check the password But, you could enhance what I had to add those things somewhat easily.