Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue overriding the "authorized?" method in BaseField #4936

Closed
codingwaysarg opened this issue Apr 27, 2024 · 2 comments
Closed

Issue overriding the "authorized?" method in BaseField #4936

codingwaysarg opened this issue Apr 27, 2024 · 2 comments

Comments

@codingwaysarg
Copy link

codingwaysarg commented Apr 27, 2024
edited by rmosolgo

Describe the bug

Im overriding the authorized? method based on the documentation, in order to support an "authenticate" key for my fields.


module Types
  class BaseField < GraphQL::Schema::Field
    include ApolloFederation::Field
    argument_class Types::BaseArgument

    def initialize(*args, authenticate: true, **kwargs, &block)
      @authenticate = authenticate
      super(*args, **kwargs, &block)
    end

    attr_reader :authenticate

    def authorized?(object, args, context)
      super && (!@authenticate || context[:current_user].present?)
    end
  end
end

Then, in order to test, my query_type looks like this:


module Types
  class QueryType < Types::BaseObject
    field :current_user, Types::UserType, null: true, authenticate: false

    def current_user
      User.first
    end
  end
end

As you can see, i'm passing authenticate: false to the field.
The thing is that, when I call this query:


query {
  currentUser {
    id
  }
}

it looks like the "id" field inside my user_type is still checking for the authenticate option, even its parent explicitly says authenticate: false.

I understand thats because in the initialize method, the argument authenticate is "true" by default, because that is what i want. I would like all fields to require authentication by default, except the ones i mark with authenticate: false, but I dont know if fields inside a type can also behave with the same option set on the parent.

Versions

graphql version: 2.3.1
rails (or other framework): 7.1.3.2
apollo-federation: 3.8.5

GraphQL schema

Include relevant types and fields (in Ruby is best, in GraphQL IDL is ok). Any custom extensions, etc?

module Types
  class UserType < Types::BaseObject
    key fields: :id

    field :id, ID, null: false
    field :email, String, null: false
    field :company_id, ID, null: false
    field :company, Types::CompanyType, null: false

    def company
      { __typename: 'Company', id: object[:company_id] }
    end
  end
end


# frozen_string_literal: true

class ApiSchema < GraphQL::Schema
  GraphQL::Types::Relay::PageInfo.include ApolloFederation::Object
  GraphQL::Types::Relay::PageInfo.shareable

  include ApolloFederation::Schema
  federation version: '2.0'

  mutation(Types::MutationType)
  query(Types::QueryType)

  use GraphQL::Dataloader

  max_query_string_tokens(5000)
  validate_max_errors(100)

  def self.unauthorized_object(error)
    raise GraphQL::ExecutionError, "An object of type #{error.type.graphql_name} was hidden due to permissions"
  end

  def self.unauthorized_field(error)
    raise GraphQL::ExecutionError, "The field #{error.field.graphql_name} on an object of type #{error.type.graphql_name} was hidden due to permissions"
  end
end

module Types
  class BaseObject < GraphQL::Schema::Object
    include ApolloFederation::Object
    edge_type_class(Types::BaseEdge)
    connection_type_class(Types::BaseConnection)
    field_class Types::BaseField
    underscore_reference_keys true
  end
end

GraphQL query

Example GraphQL query and response (if query execution is involved)

query {
  currentUser {
    id
  }
}
{
  "errors": [
    {
      "message": "The field id on an object of type User was hidden due to permissions",
      "path": [
        "currentUser",
        "id"
      ],
      "extensions": {
        "serviceName": "users",
        "code": "DOWNSTREAM_SERVICE_ERROR",
        "stacktrace": [
          "GraphQLError: The field id on an object of type User was hidden due to permissions",
          "    at Object.err (/home/jpmermoz/Code/Other/customer-api-federation/node_modules/@apollo/federation-internals/dist/error.js:11:32)",
          "    at downstreamServiceError (/home/jpmermoz/Code/Other/customer-api-federation/node_modules/@apollo/gateway/dist/executeQueryPlan.js:523:120)",
          "    at /home/jpmermoz/Code/Other/customer-api-federation/node_modules/@apollo/gateway/dist/executeQueryPlan.js:341:59",
          "    at Array.map (<anonymous>)",
          "    at sendOperation (/home/jpmermoz/Code/Other/customer-api-federation/node_modules/@apollo/gateway/dist/executeQueryPlan.js:341:44)",
          "    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)",
          "    at async /home/jpmermoz/Code/Other/customer-api-federation/node_modules/@apollo/gateway/dist/executeQueryPlan.js:255:49",
          "    at async executeNode (/home/jpmermoz/Code/Other/customer-api-federation/node_modules/@apollo/gateway/dist/executeQueryPlan.js:200:17)",
          "    at async executeNode (/home/jpmermoz/Code/Other/customer-api-federation/node_modules/@apollo/gateway/dist/executeQueryPlan.js:174:40)",
          "    at async /home/jpmermoz/Code/Other/customer-api-federation/node_modules/@apollo/gateway/dist/executeQueryPlan.js:96:35"
        ]
      }
    }
  ],
  "data": {
    "currentUser": null
  }
}

Steps to reproduce

Steps to reproduce the behavior

Expected behavior

Return the user with its ID

Actual behavior

I have permissions for the user field, but I cannot query fields inside it, like the ID field.
@rmosolgo
Copy link
Owner

Hi! Thanks for the detailed report and sorry for the trouble.

Given the setup you shared, if you want the ID field to not require authentication, you have to configure it with authenticate: false, for example:

field :id, ID, authenticate: false # don't require logging in for this field

Alternatively, you could update your BaseField definition to handle this special case, for example:

    def authorized?(object, args, context)
      # Allow this field if either: 
      # - authenticate: false was configured, 
      # - or, a current_user is present, 
      # - or, it's an ID field
      super && (!@authenticate || context[:current_user].present? || graphql_name == "id")
    end

(Maybe that solution isn't exactly what you want, but hopefully that gives the idea ...)

Would one of those approaches work for you?

@codingwaysarg
Copy link
Author

Hi, thank you for your quick answer!
I was looking for a more "generic" solution that wouldnt involve puting authenticate: false on every field.

I ended up doing something like this:


module Types
  class BaseField < GraphQL::Schema::Field
    include ApolloFederation::Field
    argument_class Types::BaseArgument

    def initialize(*args, authenticate: true, **kwargs, &block)
      @authenticate = authenticate
      super(*args, **kwargs, &block)
    end

    attr_reader :authenticate

    def authorized?(object, args, context)
      return super unless root_level_field?
      super && (!@authenticate || context[:current_user].present?)
    end

    def root_level_field?
      %w(Types::QueryType Types::MutationType).include?(owner.name)
    end
  end
end

Of course this will work only for root level fields (defined in query_type or mutation_type) but is enough for know.
Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rmosolgo @codingwaysarg