graphql 1.8.3 → 1.8.4

data/lib/graphql/relay/mutation/instrumentation.rb

@@ -12,8 +12,7 @@ module GraphQL
         def self.instrument(type, field)
           if field.mutation.is_a?(GraphQL::Relay::Mutation) || (field.mutation.is_a?(Class) && field.mutation < GraphQL::Schema::RelayClassicMutation)
             new_resolve = Mutation::Resolve.new(field.mutation, field.resolve_proc)
-            new_lazy_resolve = Mutation::Resolve.new(field.mutation, field.lazy_resolve_proc)
-            field.redefine(resolve: new_resolve, lazy_resolve: new_lazy_resolve)
+            field.redefine(resolve: new_resolve)
           else
             field
           end

data/lib/graphql/relay/mutation/resolve.rb

@@ -21,10 +21,8 @@ module GraphQL
             err
           end
 
-          if ctx.schema.lazy?(mutation_result)
-            mutation_result
-          else
-            build_result(mutation_result, args, ctx)
+          ctx.schema.after_lazy(mutation_result) do |res|
+            build_result(res, args, ctx)
           end
         end
 

data/lib/graphql/relay/node.rb

@@ -41,12 +41,7 @@ module GraphQL
 
       # @return [GraphQL::InterfaceType] The interface which all Relay types must implement
       def self.interface
-        @interface ||= GraphQL::InterfaceType.define do
-          name("Node")
-          description("An object with an ID.")
-          field(:id, types.ID.to_non_null_type, "ID of the object.")
-          default_relay(true)
-        end
+        @interface ||= GraphQL::Types::Relay::Node.graphql_definition
       end
 
       # A field resolve for finding objects by IDs

data/lib/graphql/relay/page_info.rb

@@ -2,14 +2,6 @@
 module GraphQL
   module Relay
     # Wrap a Connection and expose its page info
-    PageInfo = GraphQL::ObjectType.define do
-      name("PageInfo")
-      description("Information about pagination in a connection.")
-      field :hasNextPage, !types.Boolean, "When paginating forwards, are there more items?", property: :has_next_page
-      field :hasPreviousPage, !types.Boolean, "When paginating backwards, are there more items?", property: :has_previous_page
-      field :startCursor, types.String, "When paginating backwards, the cursor to continue.", property: :start_cursor
-      field :endCursor, types.String, "When paginating forwards, the cursor to continue.", property: :end_cursor
-      default_relay true
-    end
+    PageInfo = GraphQL::Types::Relay::PageInfo.graphql_definition
   end
 end

data/lib/graphql/schema.rb

@@ -69,6 +69,7 @@ module GraphQL
   #   end
   #
   class Schema
+    extend Forwardable
     extend GraphQL::Schema::Member::AcceptsDefinition
     include GraphQL::Define::InstanceDefinable
     accepts_definitions \
@@ -155,7 +156,7 @@ module GraphQL
       @parse_error_proc = DefaultParseError
       @instrumenters = Hash.new { |h, k| h[k] = [] }
       @lazy_methods = GraphQL::Execution::Lazy::LazyMethodMap.new
-      @lazy_methods.set(GraphQL::Relay::ConnectionResolve::LazyNodesWrapper, :never_called)
+      @lazy_methods.set(GraphQL::Execution::Lazy, :value)
       @cursor_encoder = Base64Encoder
       # Default to the built-in execution strategy:
       @query_execution_strategy = self.class.default_execution_strategy
@@ -534,6 +535,10 @@ module GraphQL
       @type_error_proc = new_proc
     end
 
+    # Can't delegate to `class`
+    alias :_schema_class :class
+    def_delegators :_schema_class, :visible?, :accessible?, :authorized?, :unauthorized_object, :inaccessible_fields
+
     # A function to call when {#execute} receives an invalid query string
     #
     # @see {DefaultParseError} is the default behavior.
@@ -647,7 +652,7 @@ module GraphQL
         :static_validator, :introspection_system,
         :query_analyzers, :middleware, :tracers, :instrumenters,
         :query_execution_strategy, :mutation_execution_strategy, :subscription_execution_strategy,
-        :validate, :multiplex_analyzers, :lazy?, :lazy_method_name,
+        :validate, :multiplex_analyzers, :lazy?, :lazy_method_name, :after_lazy,
         # Configuration
         :max_complexity=, :max_depth=,
         :metadata,
@@ -696,6 +701,7 @@ module GraphQL
         schema_defn.cursor_encoder = cursor_encoder
         schema_defn.tracers.concat(defined_tracers)
         schema_defn.query_analyzers.concat(defined_query_analyzers)
+        schema_defn.query_analyzers << GraphQL::Authorization::Analyzer
         schema_defn.middleware.concat(defined_middleware)
         schema_defn.multiplex_analyzers.concat(defined_multiplex_analyzers)
         defined_instrumenters.each do |step, insts|
@@ -835,6 +841,41 @@ module GraphQL
         raise NotImplementedError, "#{self.name}.id_from_object(object, type, ctx) must be implemented to create global ids (tried to create an id for `#{object.inspect}`)"
       end
 
+      def visible?(member, context)
+        call_on_type_class(member, :visible?, context, default: true)
+      end
+
+      def accessible?(member, context)
+        call_on_type_class(member, :accessible?, context, default: true)
+      end
+
+      # This hook is called when a client tries to access one or more
+      # fields that fail the `accessible?` check.
+      #
+      # By default, an error is added to the response. Override this hook to
+      # track metrics or return a different error to the client.
+      #
+      # @param error [InaccessibleFieldsError] The analysis error for this check
+      # @return [AnalysisError, nil] Return an error to skip the query
+      def inaccessible_fields(error)
+        error
+      end
+
+      # This hook is called when an object fails an `authorized?` check.
+      # You might report to your bug tracker here, so you can correct
+      # the field resolvers not to return unauthorized objects.
+      #
+      # By default, this hook just replaces the unauthorized object with `nil`.
+      #
+      # If you want to add an error to the `"errors"` key, raise a {GraphQL::ExecutionError}
+      # in this hook.
+      #
+      # @param unauthorized_error [GraphQL::UnauthorizedError]
+      # @return [Object] The returned object will be put in the GraphQL response
+      def unauthorized_object(unauthorized_error)
+        nil
+      end
+
       def type_error(type_err, ctx)
         DefaultTypeError.call(type_err, ctx)
       end
@@ -905,6 +946,29 @@ module GraphQL
       def defined_multiplex_analyzers
         @defined_multiplex_analyzers ||= []
       end
+
+      # Given this schema member, find the class-based definition object
+      # whose `method_name` should be treated as an application hook
+      # @see {.visible?}
+      # @see {.accessible?}
+      # @see {.authorized?}
+      def call_on_type_class(member, method_name, *args, default:)
+        member = if member.respond_to?(:metadata)
+          member.metadata[:type_class] || member
+        else
+          member
+        end
+
+        if member.respond_to?(:relay_node_type) && (t = member.relay_node_type)
+          member = t
+        end
+
+        if member.respond_to?(method_name)
+          member.public_send(method_name, *args)
+        else
+          default
+        end
+      end
     end
 
 
@@ -923,6 +987,24 @@ module GraphQL
       end
     end
 
+    # Call the given block at the right time, either:
+    # - Right away, if `value` is not registered with `lazy_resolve`
+    # - After resolving `value`, if it's registered with `lazy_resolve` (eg, `Promise`)
+    # @api private
+    def after_lazy(value)
+      if (lazy_method = lazy_method_name(value))
+        GraphQL::Execution::Lazy.new do
+          result = value.public_send(lazy_method)
+          # The returned result might also be lazy, so check it, too
+          after_lazy(result) do |final_result|
+            yield(final_result)
+          end
+        end
+      else
+        yield(value)
+      end
+    end
+
     protected
 
     def rescues?
@@ -937,15 +1019,6 @@ module GraphQL
 
     private
 
-    # Wrap Relay-related objects in wrappers
-    # @api private
-    BUILT_IN_INSTRUMENTERS = [
-      GraphQL::Relay::ConnectionInstrumentation,
-      GraphQL::Relay::EdgesInstrumentation,
-      GraphQL::Relay::Mutation::Instrumentation,
-      GraphQL::Schema::Member::Instrumentation,
-    ]
-
     def rebuild_artifacts
       if @rebuilding_artifacts
         raise CyclicalDefinitionError, "Part of the schema build process re-triggered the schema build process, causing an infinite loop. Avoid using Schema#types, Schema#possible_types, and Schema#get_field during schema build."

data/lib/graphql/schema/argument.rb

@@ -9,6 +9,7 @@ module GraphQL
 
       # @return [String] the GraphQL name for this argument, camelized unless `camelize: false` is provided
       attr_reader :name
+      alias :graphql_name :name
 
       # @return [GraphQL::Schema::Field, Class] The field or input object this argument belongs to
       attr_reader :owner
@@ -53,6 +54,18 @@ module GraphQL
         end
       end
 
+      def visible?(context)
+        true
+      end
+
+      def accessible?(context)
+        true
+      end
+
+      def authorized?(obj, ctx)
+        true
+      end
+
       def to_graphql
         argument = GraphQL::Argument.new
         argument.name = @name

data/lib/graphql/schema/enum.rb

@@ -24,7 +24,7 @@ module GraphQL
 
       class << self
         extend Forwardable
-        def_delegators :graphql_definition, :coerce_isolated_input, :coerce_isolated_result
+        def_delegators :graphql_definition, :coerce_isolated_input, :coerce_isolated_result, :coerce_input, :coerce_result
 
         # Define a value for this enum
         # @param graphql_name [String, Symbol] the GraphQL value for this, usually `SCREAMING_CASE`

data/lib/graphql/schema/enum_value.rb

@@ -69,6 +69,10 @@ module GraphQL
         enum_value.metadata[:type_class] = self
         enum_value
       end
+
+      def visible?(_ctx); true; end
+      def accessible?(_ctx); true; end
+      def authorized?(_ctx); true; end
     end
   end
 end

data/lib/graphql/schema/field.rb

@@ -8,7 +8,8 @@ module GraphQL
       include GraphQL::Schema::Member::HasArguments
 
       # @return [String] the GraphQL name for this field, camelized unless `camelize: false` is provided
-      attr_accessor :name
+      attr_reader :name
+      alias :graphql_name :name
 
       # @return [String]
       attr_accessor :description
@@ -274,20 +275,52 @@ module GraphQL
         raise ArgumentError, "Failed to build return type for #{@owner.graphql_name}.#{name} from #{@return_type_expr.inspect}: #{$!.message}", $!.backtrace
       end
 
+      def visible?(context)
+        if @resolver_class
+          @resolver_class.visible?(context)
+        else
+          true
+        end
+      end
+
+      def accessible?(context)
+        if @resolver_class
+          @resolver_class.accessible?(context)
+        else
+          true
+        end
+      end
+
+      def authorized?(object, context)
+        if @resolver_class
+          @resolver_class.authorized?(object, context)
+        else
+          true
+        end
+      end
+
       # Implement {GraphQL::Field}'s resolve API.
       #
       # Eventually, we might hook up field instances to execution in another way. TBD.
       def resolve_field(obj, args, ctx)
-        if @resolve_proc
-          # Might be nil, still want to call the func in that case
-          inner_obj = obj && obj.object
-          @resolve_proc.call(inner_obj, args, ctx)
-        elsif @resolver_class
-          inner_obj = obj && obj.object
-          singleton_inst = @resolver_class.new(object: inner_obj, context: ctx.query.context)
-          public_send_field(singleton_inst, args, ctx)
-        else
-          public_send_field(obj, args, ctx)
+        ctx.schema.after_lazy(obj) do |after_obj|
+          # First, apply auth ...
+          query_ctx = ctx.query.context
+          inner_obj = after_obj && after_obj.object
+          if authorized?(inner_obj, query_ctx) && arguments.each_value.all? { |a| a.authorized?(inner_obj, query_ctx) }
+            # Then if it passed, resolve the field
+            if @resolve_proc
+              # Might be nil, still want to call the func in that case
+              @resolve_proc.call(inner_obj, args, ctx)
+            elsif @resolver_class
+              singleton_inst = @resolver_class.new(object: inner_obj, context: query_ctx)
+              public_send_field(singleton_inst, args, ctx)
+            else
+              public_send_field(after_obj, args, ctx)
+            end
+          else
+            nil
+          end
         end
       end
 

data/lib/graphql/schema/interface.rb

@@ -17,6 +17,26 @@ module GraphQL
           self::DefinitionMethods.module_eval(&block)
         end
 
+        # The interface is visible if any of its possible types are visible
+        def visible?(context)
+          context.schema.possible_types(self).each do |type|
+            if context.schema.visible?(type, context)
+              return true
+            end
+          end
+          false
+        end
+
+        # The interface is accessible if any of its possible types are accessible
+        def accessible?(context)
+          context.schema.possible_types(self).each do |type|
+            if context.schema.accessible?(type, context)
+              return true
+            end
+          end
+          false
+        end
+
         # Here's the tricky part. Make sure behavior keeps making its way down the inheritance chain.
         def included(child_class)
           if !child_class.is_a?(Class)

data/lib/graphql/schema/introspection_system.rb

@@ -84,7 +84,7 @@ module GraphQL
           if obj.is_a?(GraphQL::Schema::Object)
             obj = obj.object
           end
-          wrapped_object = @object_class.new(obj, query_ctx)
+          wrapped_object = @object_class.authorized_new(obj, query_ctx)
           @inner_resolve.call(wrapped_object, args, ctx)
         end
       end

data/lib/graphql/schema/member/base_dsl_methods.rb

@@ -22,7 +22,7 @@ module GraphQL
             overridden
           else # Fallback to Ruby constant name
             raise NotImplementedError, 'Anonymous class should declare an `graphql_name`' if name.nil?
-            
+
             name.split("::").last.sub(/Type\Z/, "")
           end
         end
@@ -72,12 +72,34 @@ module GraphQL
           raise NotImplementedError
         end
 
+        alias :unwrap :itself
+
         def overridden_graphql_name
           @graphql_name || find_inherited_method(:overridden_graphql_name, nil)
         end
 
-        def unwrap
-          self
+        def visible?(context)
+          if @mutation
+            @mutation.visible?(context)
+          else
+            true
+          end
+        end
+
+        def accessible?(context)
+          if @mutation
+            @mutation.accessible?(context)
+          else
+            true
+          end
+        end
+
+        def authorized?(object, context)
+          if @mutation
+            @mutation.authorized?(object, context)
+          else
+            true
+          end
         end
 
         private

data/lib/graphql/schema/member/instrumentation.rb

@@ -27,7 +27,7 @@ module GraphQL
             # If it has a wrapper, apply it
             wrapper_class = root_type.metadata[:type_class]
             if wrapper_class
-              new_root_value = wrapper_class.new(query.root_value, query.context)
+              new_root_value = wrapper_class.authorized_new(query.root_value, query.context)
               query.root_value = new_root_value
             end
           end
@@ -72,39 +72,37 @@ module GraphQL
 
           def call(obj, args, ctx)
             result = @inner_resolve.call(obj, args, ctx)
-            if ctx.schema.lazy?(result)
-              # Wrap it later
-              result
-            elsif ctx.skip == result
+            if ctx.skip == result || ctx.schema.lazy?(result) || result.nil? || result.is_a?(GraphQL::ExecutionError) || ctx.wrapped_object
               result
             else
-              proxy_to_depth(result, @list_depth, @inner_return_type, ctx)
+              ctx.wrapped_object = true
+              proxy_to_depth(result, @list_depth, ctx)
             end
+          rescue GraphQL::UnauthorizedError => err
+            ctx.schema.unauthorized_object(err)
           end
 
           private
 
-          def proxy_to_depth(obj, depth, type, ctx)
-            if obj.nil?
-              obj
-            elsif depth > 0
-              obj.map { |inner_obj| proxy_to_depth(inner_obj, depth - 1, type, ctx) }
+          def proxy_to_depth(inner_obj, depth, ctx)
+            if depth > 0
+              inner_obj.map { |i| proxy_to_depth(i, depth - 1, ctx) }
             else
-              concrete_type = case type
+              concrete_type = case @inner_return_type
               when GraphQL::UnionType, GraphQL::InterfaceType
-                ctx.query.resolve_type(type, obj)
+                ctx.query.resolve_type(@inner_return_type, inner_obj)
               when GraphQL::ObjectType
-                type
+                @inner_return_type
               else
-                raise "unexpected proxying type #{type} for #{obj} at #{ctx.owner_type}.#{ctx.field.name}"
+                raise "unexpected proxying type #{@inner_return_type} for #{inner_obj} at #{ctx.owner_type}.#{ctx.field.name}"
               end
 
               if concrete_type && (object_class = concrete_type.metadata[:type_class])
                 # use the query-level context here, since it won't be field-specific anyways
                 query_ctx = ctx.query.context
-                object_class.new(obj, query_ctx)
+                object_class.authorized_new(inner_obj, query_ctx)
               else
-                obj
+                inner_obj
               end
             end
           end