graphql_devise 0.13.4 → 0.14.2

data/graphql_devise.gemspec

@@ -28,7 +28,7 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = '>= 2.2.0'
 
   spec.add_dependency 'devise_token_auth', '>= 0.1.43', '< 2.0'
-  spec.add_dependency 'graphql', '>= 1.8', '< 1.12.0'
+  spec.add_dependency 'graphql', '>= 1.8', '< 1.13.0'
   spec.add_dependency 'rails', '>= 4.2', '< 6.2'
 
   spec.add_development_dependency 'appraisal'

data/lib/graphql_devise/concerns/controller_methods.rb

@@ -7,6 +7,12 @@ module GraphqlDevise
 
       private
 
+      def check_redirect_url_whitelist!(redirect_url)
+        if blacklisted_redirect_url?(redirect_url)
+          raise_user_error(I18n.t('graphql_devise.redirect_url_not_allowed', redirect_url: redirect_url))
+        end
+      end
+
       def raise_user_error(message)
         raise GraphqlDevise::UserError, message
       end
@@ -90,7 +96,7 @@ module GraphqlDevise
       end
 
       def find_resource(field, value)
-        if resource_class.try(:connection_config).try(:[], :adapter).try(:include?, 'mysql')
+        if resource_class.connection.adapter_name.downcase.include?('mysql')
           # fix for mysql default case insensitivity
           resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
         elsif Gem::Version.new(DeviseTokenAuth::VERSION) < Gem::Version.new('1.1.0')

data/lib/graphql_devise/default_operations/mutations.rb

@@ -5,18 +5,22 @@ require 'graphql_devise/mutations/login'
 require 'graphql_devise/mutations/logout'
 require 'graphql_devise/mutations/resend_confirmation'
 require 'graphql_devise/mutations/send_password_reset'
+require 'graphql_devise/mutations/send_password_reset_with_token'
 require 'graphql_devise/mutations/sign_up'
 require 'graphql_devise/mutations/update_password'
+require 'graphql_devise/mutations/update_password_with_token'
 
 module GraphqlDevise
   module DefaultOperations
     MUTATIONS = {
-      login:               { klass: GraphqlDevise::Mutations::Login, authenticatable: true },
-      logout:              { klass: GraphqlDevise::Mutations::Logout, authenticatable: true },
-      sign_up:             { klass: GraphqlDevise::Mutations::SignUp, authenticatable: true },
-      update_password:     { klass: GraphqlDevise::Mutations::UpdatePassword, authenticatable: true },
-      send_password_reset: { klass: GraphqlDevise::Mutations::SendPasswordReset, authenticatable: false },
-      resend_confirmation: { klass: GraphqlDevise::Mutations::ResendConfirmation, authenticatable: false }
+      login:                          { klass: GraphqlDevise::Mutations::Login, authenticatable: true },
+      logout:                         { klass: GraphqlDevise::Mutations::Logout, authenticatable: true },
+      sign_up:                        { klass: GraphqlDevise::Mutations::SignUp, authenticatable: true },
+      update_password:                { klass: GraphqlDevise::Mutations::UpdatePassword, authenticatable: true },
+      update_password_with_token:     { klass: GraphqlDevise::Mutations::UpdatePasswordWithToken, authenticatable: true },
+      send_password_reset:            { klass: GraphqlDevise::Mutations::SendPasswordReset, authenticatable: false },
+      send_password_reset_with_token: { klass: GraphqlDevise::Mutations::SendPasswordResetWithToken, authenticatable: false },
+      resend_confirmation:            { klass: GraphqlDevise::Mutations::ResendConfirmation, authenticatable: false }
     }.freeze
   end
 end

data/lib/graphql_devise/mutations/resend_confirmation.rb

@@ -9,6 +9,8 @@ module GraphqlDevise
       field :message, String, null: false
 
       def resolve(email:, redirect_url:)
+        check_redirect_url_whitelist!(redirect_url)
+
         resource = find_confirmable_resource(email)
 
         if resource

data/lib/graphql_devise/mutations/send_password_reset.rb

@@ -9,6 +9,8 @@ module GraphqlDevise
       field :message, String, null: false
 
       def resolve(email:, redirect_url:)
+        check_redirect_url_whitelist!(redirect_url)
+
         resource = find_resource(:email, get_case_insensitive_field(:email, email))
 
         if resource

data/lib/graphql_devise/mutations/send_password_reset_with_token.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module GraphqlDevise
+  module Mutations
+    class SendPasswordResetWithToken < Base
+      argument :email,        String, required: true
+      argument :redirect_url, String, required: true
+
+      field :message, String, null: false
+
+      def resolve(email:, redirect_url:)
+        check_redirect_url_whitelist!(redirect_url)
+
+        resource = find_resource(:email, get_case_insensitive_field(:email, email))
+
+        if resource
+          yield resource if block_given?
+
+          resource.send_reset_password_instructions(
+            email:         email,
+            provider:      'email',
+            redirect_url:  redirect_url,
+            template_path: ['graphql_devise/mailer']
+          )
+
+          if resource.errors.empty?
+            { message: I18n.t('graphql_devise.passwords.send_instructions') }
+          else
+            raise_user_error_list(I18n.t('graphql_devise.invalid_resource'), errors: resource.errors.full_messages)
+          end
+        else
+          raise_user_error(I18n.t('graphql_devise.user_not_found'))
+        end
+      end
+    end
+  end
+end

data/lib/graphql_devise/mutations/sign_up.rb

@@ -22,9 +22,7 @@ module GraphqlDevise
           raise_user_error(I18n.t('graphql_devise.registrations.missing_confirm_redirect_url'))
         end
 
-        if blacklisted_redirect_url?(redirect_url)
-          raise_user_error(I18n.t('graphql_devise.registrations.redirect_url_not_allowed', redirect_url: redirect_url))
-        end
+        check_redirect_url_whitelist!(redirect_url)
 
         resource.skip_confirmation_notification! if resource.respond_to?(:skip_confirmation_notification!)
 

data/lib/graphql_devise/mutations/update_password_with_token.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module GraphqlDevise
+  module Mutations
+    class UpdatePasswordWithToken < Base
+      argument :password,              String, required: true
+      argument :password_confirmation, String, required: true
+      argument :reset_password_token,  String, required: true
+
+      field :credentials,
+            GraphqlDevise::Types::CredentialType,
+            null:        true,
+            description: 'Authentication credentials. Resource must be signed_in for credentials to be returned.'
+
+      def resolve(reset_password_token:, **attrs)
+        raise_user_error(I18n.t('graphql_devise.passwords.password_recovery_disabled')) unless recoverable_enabled?
+
+        resource = resource_class.with_reset_password_token(reset_password_token)
+        raise_user_error(I18n.t('graphql_devise.passwords.reset_token_not_found')) if resource.blank?
+        raise_user_error(I18n.t('graphql_devise.passwords.reset_token_expired')) unless resource.reset_password_period_valid?
+
+        if resource.update(attrs)
+          yield resource if block_given?
+
+          response_payload               = { authenticatable: resource }
+          response_payload[:credentials] = set_auth_headers(resource) if controller.signed_in?(resource_name)
+
+          response_payload
+        else
+          raise_user_error_list(
+            I18n.t('graphql_devise.passwords.update_password_error'),
+            errors: resource.errors.full_messages
+          )
+        end
+      end
+    end
+  end
+end

data/lib/graphql_devise/resolvers/check_password_token.rb

@@ -27,6 +27,7 @@ module GraphqlDevise
           )
 
           if redirect_url.present?
+            check_redirect_url_whitelist!(redirect_url)
             controller.redirect_to(resource.build_auth_url(redirect_url, built_redirect_headers))
           else
             set_auth_headers(resource)

data/lib/graphql_devise/resolvers/confirm_account.rb

@@ -7,6 +7,8 @@ module GraphqlDevise
       argument :redirect_url,       String, required: true
 
       def resolve(confirmation_token:, redirect_url:)
+        check_redirect_url_whitelist!(redirect_url)
+
         resource = resource_class.confirm_by_token(confirmation_token)
 
         if resource.errors.empty?

data/lib/graphql_devise/schema_plugin.rb

@@ -2,13 +2,16 @@
 
 module GraphqlDevise
   class SchemaPlugin
+    # NOTE: Based on GQL-Ruby docs  https://graphql-ruby.org/schema/introspection.html
+    INTROSPECTION_FIELDS = ['__schema', '__type', '__typename']
     DEFAULT_NOT_AUTHENTICATED = ->(field) { raise GraphqlDevise::AuthenticationError, "#{field} field requires authentication" }
 
-    def initialize(query: nil, mutation: nil, authenticate_default: true, resource_loaders: [], unauthenticated_proc: DEFAULT_NOT_AUTHENTICATED)
+    def initialize(query: nil, mutation: nil, authenticate_default: true, public_introspection: !Rails.env.production?, resource_loaders: [], unauthenticated_proc: DEFAULT_NOT_AUTHENTICATED)
       @query                = query
       @mutation             = mutation
       @resource_loaders     = resource_loaders
       @authenticate_default = authenticate_default
+      @public_introspection = public_introspection
       @unauthenticated_proc = unauthenticated_proc
 
       # Must happen on initialize so operations are loaded before the types are added to the schema on GQL < 1.10
@@ -24,13 +27,12 @@ module GraphqlDevise
       # Authenticate only root level queries
       return yield unless event == 'execute_field' && path(trace_data).count == 1
 
-      field = traced_field(trace_data)
-      provided_value = authenticate_option(field, trace_data)
-      context = set_current_resource(context_from_data(trace_data))
+      field         = traced_field(trace_data)
+      auth_required = authenticate_option(field, trace_data)
+      context       = context_from_data(trace_data)
 
-      if !provided_value.nil?
-        raise_on_missing_resource(context, field) if provided_value
-      elsif @authenticate_default
+      if auth_required && !(public_introspection && introspection_field?(field))
+        context = set_current_resource(context)
         raise_on_missing_resource(context, field)
       end
 
@@ -39,10 +41,13 @@ module GraphqlDevise
 
     private
 
+    attr_reader :public_introspection
+
     def set_current_resource(context)
-      controller                 = context[:controller]
-      resource_names             = Array(context[:resource_name])
-      context[:current_resource] = resource_names.find do |resource_name|
+      controller     = context[:controller]
+      resource_names = Array(context[:resource_name])
+
+      context[:current_resource] ||= resource_names.find do |resource_name|
         unless Devise.mappings.key?(resource_name)
           raise(
             GraphqlDevise::Error,
@@ -88,11 +93,13 @@ module GraphqlDevise
     end
 
     def authenticate_option(field, trace_data)
-      if trace_data[:context]
+      auth_required = if trace_data[:context]
         field.metadata[:authenticate]
       else
         field.graphql_definition.metadata[:authenticate]
       end
+
+      auth_required.nil? ? @authenticate_default : auth_required
     end
 
     def reconfigure_warden!
@@ -107,6 +114,10 @@ module GraphqlDevise
         resource_loader.call(@query, @mutation)
       end
     end
+
+    def introspection_field?(field)
+      INTROSPECTION_FIELDS.include?(field.name)
+    end
   end
 end
 

data/lib/graphql_devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module GraphqlDevise
-  VERSION = '0.13.4'.freeze
+  VERSION = '0.14.2'.freeze
 end

data/spec/dummy/app/graphql/dummy_schema.rb

@@ -2,9 +2,10 @@
 
 class DummySchema < GraphQL::Schema
   use GraphqlDevise::SchemaPlugin.new(
-    query:            Types::QueryType,
-    mutation:         Types::MutationType,
-    resource_loaders: [
+    query:                Types::QueryType,
+    mutation:             Types::MutationType,
+    public_introspection: true,
+    resource_loaders:     [
       GraphqlDevise::ResourceLoader.new(
         'User',
         only: [

data/spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Mutations
+  class ResetAdminPasswordWithToken < GraphqlDevise::Mutations::UpdatePasswordWithToken
+    field :authenticatable, Types::AdminType, null: false
+
+    def resolve(reset_password_token:, **attrs)
+      super do |admin|
+        controller.sign_in(admin)
+      end
+    end
+  end
+end

data/spec/dummy/config/initializers/devise_token_auth.rb

@@ -39,6 +39,8 @@ DeviseTokenAuth.setup do |config|
 
   config.default_confirm_success_url = 'https://google.com'
 
+  config.redirect_whitelist = ['https://google.com']
+
   # By default we will use callbacks for single omniauth.
   # It depends on fields like email, provider and uid.
   # config.default_callbacks = true

data/spec/dummy/config/routes.rb

@@ -15,7 +15,8 @@ Rails.application.routes.draw do
     authenticatable_type: Types::CustomAdminType,
     skip:                 [:sign_up, :check_password_token],
     operations:           {
-      confirm_account: Resolvers::ConfirmAdminAccount
+      confirm_account:            Resolvers::ConfirmAdminAccount,
+      update_password_with_token: Mutations::ResetAdminPasswordWithToken
     },
     at:                   '/api/v1/admin/graphql_auth'
   )

data/spec/graphql/user_queries_spec.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Users controller specs' do
+  include_context 'with graphql schema test'
+
+  let(:schema)          { DummySchema }
+  let(:user)            { create(:user, :confirmed) }
+  let(:field)           { 'privateField' }
+  let(:public_message)  { 'Field does not require authentication' }
+  let(:private_message) { 'Field will always require authentication' }
+  let(:private_error) do
+    {
+      message:    "#{field} field requires authentication",
+      extensions: { code: 'AUTHENTICATION_ERROR' }
+    }
+  end
+
+  describe 'publicField' do
+    let(:query) do
+      <<-GRAPHQL
+        query {
+          publicField
+        }
+      GRAPHQL
+    end
+
+    context 'when using a regular schema' do
+      it 'does not require authentication' do
+        expect(response[:data][:publicField]).to eq(public_message)
+      end
+    end
+  end
+
+  describe 'privateField' do
+    let(:query) do
+      <<-GRAPHQL
+        query {
+          privateField
+        }
+      GRAPHQL
+    end
+
+    context 'when using a regular schema' do
+      context 'when user is authenticated' do
+        let(:resource) { user }
+
+        it 'allows to perform the query' do
+          expect(response[:data][:privateField]).to eq(private_message)
+        end
+
+        context 'when using a SchemaUser' do
+          let(:resource) { create(:schema_user, :confirmed) }
+
+          it 'allows to perform the query' do
+            expect(response[:data][:privateField]).to eq(private_message)
+          end
+        end
+      end
+    end
+
+    context 'when using an interpreter schema' do
+      let(:schema) { InterpreterSchema }
+
+      context 'when user is authenticated' do
+        let(:resource) { user }
+
+        it 'allows to perform the query' do
+          expect(response[:data][:privateField]).to eq(private_message)
+        end
+      end
+    end
+  end
+
+  describe 'user' do
+    let(:user_data) { { email: user.email, id: user.id } }
+    let(:query) do
+      <<-GRAPHQL
+        query {
+          user(id: #{user.id}) {
+            id
+            email
+          }
+        }
+      GRAPHQL
+    end
+
+    context 'when using a regular schema' do
+      context 'when user is authenticated' do
+        let(:resource) { user }
+
+        it 'allows to perform the query' do
+          expect(response[:data][:user]).to match(**user_data)
+        end
+      end
+    end
+
+    context 'when using an interpreter schema' do
+      let(:schema) { InterpreterSchema }
+
+      context 'when user is authenticated' do
+        let(:resource) { user }
+
+        it 'allows to perform the query' do
+          expect(response[:data][:user]).to match(**user_data)
+        end
+      end
+
+      context 'when user is not authenticated' do
+        # Interpreter schema fields are public unless specified otherwise (plugin setting)
+        it 'allows to perform the query' do
+          expect(response[:data][:user]).to match(**user_data)
+        end
+      end
+    end
+  end
+end