Can't query facts added with authorizer_merge!

[Tipnos]

Below an example showing the issue:

use biscuit_auth::{macros::*, KeyPair};

fn main() {
    let mut authorizer = biscuit!(r#"fact("foo");"#)
        .build(&KeyPair::new())
        .unwrap()
        .authorizer()
        .unwrap();

    authorizer_merge!(&mut authorizer, r#"fact("bar");"#);

    let query_facts: Vec<(String,)> = authorizer.query(rule!("x($n) <- fact($n)")).unwrap();
    let (dumped_facts, _, _, _) = authorizer.dump();
    // [Fact { predicate: Predicate { name: "fact", terms: [Str("foo")] }, parameters: None },
    // Fact { predicate: Predicate { name: "fact", terms: [Str("bar")] }, parameters: Some({}) }]
    println!("{:?}", dumped_facts);

    // panic here!
    assert!(query_facts.len() == 2);
}

It looks like query don't lookup on facts added with authorizer_merge!

[divarvel]

Thanks! I'm not sure how much of this is intended behaviour or not.

In any case, it should be properly documented.

[wez]

I'm just getting my feet wet with this crate, so weight my comment accordingly.

I think the current behavior is desirable, and if different semantics are needed, I think an additional or alternative query method should be provided for that.

Here's my scenario:

The base token includes some facts (such as a list of resources that are to be updated as part of an operation) that I can trust, because they were put into the token by the original token issuer.

In my endpoint I plan to use the query method to extract those facts from the base token and use those to determine which resources my endpoint should operate on. This way my endpoint doesn't accept any additional parameters from the client; it will only operate on the trusted facts in the token. Additional appended facts are not to be trusted; these are the same semantics as described and illustrated in https://doc.biscuitsec.org/reference/datalog#block-scoping