graphql_devise 0.13.5 → 0.14.3

data/docs/usage/reset_password_flow.md

@@ -0,0 +1,90 @@
+# Reset Password Flow
+This gem supports two different ways to reset a password on a resource. Each password reset flow has it's own set of
+operations and this document will explain in more detail how to use each.
+The first and most recently implemented flow is preferred as it requires less steps and doesn't require a mutation
+to return a redirect on the response. Flow 2 might be deprecated in the future.
+
+## Flow #1 (Preferred)
+This flow only has two steps. Each step name refers to the operation name you can use in the mount options to skip or override.
+
+### 1. send_password_reset_with_token
+This mutation will send an email to the specified address if it's found on the system. Returns an error if the email is not found. Here's an example assuming the resource used
+for authentication is `User`:
+```graphql
+mutation {
+  userSendPasswordResetWithToken(
+    email:       "vvega@wallaceinc.com",
+    redirectUrl: "https://google.com"
+  ) {
+    message
+  }
+}
+```
+The email will contain a link to the `redirectUrl` (https://google.com in the example) and append a `reset_password_token` query param. This is the token you will
+need to use in the next step in order to reset the password.
+
+### 2. update_password_with_token
+This mutation uses the token sent on the email to find the resource you are trying to recover.
+All you have to do is send a valid token together with the new password and password confirmation.
+Here's an example assuming the resource used for authentication is `User`:
+
+```graphql
+mutation {
+  userUpdatePasswordWithToken(
+    resetPasswordToken: "token_here",
+    password: "password123",
+    passwordConfirmation: "password123"
+  ) {
+    authenticatable { email }
+    credentials { accessToken }
+  }
+}
+```
+The mutation has two fields:
+1. `authenticatable`: Just like other mutations, returns the actual resource you just recover the password for.
+1. `credentials`: This is a nullable field. It will only return credentials as if you had just logged
+in into the app if you explicitly say so by overriding the mutation. The docs have more detail
+on how to extend the default behavior of mutations, but
+[here](https://github.com/graphql-devise/graphql_devise/blob/8c7c8a5ff1b35fb026e4c9499c70dc5f90b9187a/spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb)
+you can find an example mutation on what needs to be done in order for the mutation to return
+credentials after updating the password.
+
+## Flow 2 (Deprecated)
+This was the first flow to be implemented, requires an additional step and also to encode a GQL query in a url, so this is not the preferred method.
+Each step name refers to the operation name you can use in the mount options to skip or override.
+
+### 1. send_password_reset
+This mutation will send an email to the specified address if it's found on the system. Returns an error if the email is not found. Here's an example assuming the resource used
+for authentication is `User`:
+```graphql
+mutation {
+  userSendPasswordReset(
+    email:       "vvega@wallaceinc.com",
+    redirectUrl: "https://google.com"
+  ) {
+    message
+  }
+}
+```
+The email will contain an encoded GraphQL query that holds the reset token and redirectUrl.
+The query is described in the next step.
+
+### 2. check_password_token
+This query checks the reset password token and if successful changes a column in the DB (`allow_password_change`) to true.
+This change will allow for the next step to update the password without providing the current password.
+Then, this query will redirect to the provided `redirectUrl` with credentials.
+
+### 3. update_password
+This step requires the request to include authentication headers and will allow the user to
+update the password if step 2 was successful.
+Here's an example assuming the resource used for authentication is `User`:
+```graphql
+mutation {
+  userUpdatePassword(
+    password: "password123",
+    passwordConfirmation: "password123"
+  ) {
+    authenticatable { email }
+  }
+}
+```

data/graphql_devise.gemspec

@@ -28,11 +28,11 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = '>= 2.2.0'
 
   spec.add_dependency 'devise_token_auth', '>= 0.1.43', '< 2.0'
-  spec.add_dependency 'graphql', '>= 1.8', '< 1.12.0'
+  spec.add_dependency 'graphql', '>= 1.8', '< 1.13.0'
   spec.add_dependency 'rails', '>= 4.2', '< 6.2'
 
   spec.add_development_dependency 'appraisal'
-  spec.add_development_dependency 'coveralls'
+  spec.add_development_dependency 'coveralls-ruby', '~> 0.2'
   spec.add_development_dependency 'factory_bot'
   spec.add_development_dependency 'faker'
   spec.add_development_dependency 'generator_spec'

data/lib/graphql_devise/concerns/controller_methods.rb

@@ -7,6 +7,12 @@ module GraphqlDevise
 
       private
 
+      def check_redirect_url_whitelist!(redirect_url)
+        if blacklisted_redirect_url?(redirect_url)
+          raise_user_error(I18n.t('graphql_devise.redirect_url_not_allowed', redirect_url: redirect_url))
+        end
+      end
+
       def raise_user_error(message)
         raise GraphqlDevise::UserError, message
       end

data/lib/graphql_devise/default_operations/mutations.rb

@@ -5,18 +5,22 @@ require 'graphql_devise/mutations/login'
 require 'graphql_devise/mutations/logout'
 require 'graphql_devise/mutations/resend_confirmation'
 require 'graphql_devise/mutations/send_password_reset'
+require 'graphql_devise/mutations/send_password_reset_with_token'
 require 'graphql_devise/mutations/sign_up'
 require 'graphql_devise/mutations/update_password'
+require 'graphql_devise/mutations/update_password_with_token'
 
 module GraphqlDevise
   module DefaultOperations
     MUTATIONS = {
-      login:               { klass: GraphqlDevise::Mutations::Login, authenticatable: true },
-      logout:              { klass: GraphqlDevise::Mutations::Logout, authenticatable: true },
-      sign_up:             { klass: GraphqlDevise::Mutations::SignUp, authenticatable: true },
-      update_password:     { klass: GraphqlDevise::Mutations::UpdatePassword, authenticatable: true },
-      send_password_reset: { klass: GraphqlDevise::Mutations::SendPasswordReset, authenticatable: false },
-      resend_confirmation: { klass: GraphqlDevise::Mutations::ResendConfirmation, authenticatable: false }
+      login:                          { klass: GraphqlDevise::Mutations::Login, authenticatable: true },
+      logout:                         { klass: GraphqlDevise::Mutations::Logout, authenticatable: true },
+      sign_up:                        { klass: GraphqlDevise::Mutations::SignUp, authenticatable: true },
+      update_password:                { klass: GraphqlDevise::Mutations::UpdatePassword, authenticatable: true },
+      update_password_with_token:     { klass: GraphqlDevise::Mutations::UpdatePasswordWithToken, authenticatable: true },
+      send_password_reset:            { klass: GraphqlDevise::Mutations::SendPasswordReset, authenticatable: false },
+      send_password_reset_with_token: { klass: GraphqlDevise::Mutations::SendPasswordResetWithToken, authenticatable: false },
+      resend_confirmation:            { klass: GraphqlDevise::Mutations::ResendConfirmation, authenticatable: false }
     }.freeze
   end
 end

data/lib/graphql_devise/mutations/resend_confirmation.rb

@@ -9,6 +9,8 @@ module GraphqlDevise
       field :message, String, null: false
 
       def resolve(email:, redirect_url:)
+        check_redirect_url_whitelist!(redirect_url)
+
         resource = find_confirmable_resource(email)
 
         if resource

data/lib/graphql_devise/mutations/send_password_reset.rb

@@ -9,6 +9,8 @@ module GraphqlDevise
       field :message, String, null: false
 
       def resolve(email:, redirect_url:)
+        check_redirect_url_whitelist!(redirect_url)
+
         resource = find_resource(:email, get_case_insensitive_field(:email, email))
 
         if resource

data/lib/graphql_devise/mutations/send_password_reset_with_token.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module GraphqlDevise
+  module Mutations
+    class SendPasswordResetWithToken < Base
+      argument :email,        String, required: true
+      argument :redirect_url, String, required: true
+
+      field :message, String, null: false
+
+      def resolve(email:, redirect_url:)
+        check_redirect_url_whitelist!(redirect_url)
+
+        resource = find_resource(:email, get_case_insensitive_field(:email, email))
+
+        if resource
+          yield resource if block_given?
+
+          resource.send_reset_password_instructions(
+            email:         email,
+            provider:      'email',
+            redirect_url:  redirect_url,
+            template_path: ['graphql_devise/mailer']
+          )
+
+          if resource.errors.empty?
+            { message: I18n.t('graphql_devise.passwords.send_instructions') }
+          else
+            raise_user_error_list(I18n.t('graphql_devise.invalid_resource'), errors: resource.errors.full_messages)
+          end
+        else
+          raise_user_error(I18n.t('graphql_devise.user_not_found'))
+        end
+      end
+    end
+  end
+end

data/lib/graphql_devise/mutations/sign_up.rb

@@ -22,9 +22,7 @@ module GraphqlDevise
           raise_user_error(I18n.t('graphql_devise.registrations.missing_confirm_redirect_url'))
         end
 
-        if blacklisted_redirect_url?(redirect_url)
-          raise_user_error(I18n.t('graphql_devise.registrations.redirect_url_not_allowed', redirect_url: redirect_url))
-        end
+        check_redirect_url_whitelist!(redirect_url)
 
         resource.skip_confirmation_notification! if resource.respond_to?(:skip_confirmation_notification!)
 

data/lib/graphql_devise/mutations/update_password_with_token.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module GraphqlDevise
+  module Mutations
+    class UpdatePasswordWithToken < Base
+      argument :password,              String, required: true
+      argument :password_confirmation, String, required: true
+      argument :reset_password_token,  String, required: true
+
+      field :credentials,
+            GraphqlDevise::Types::CredentialType,
+            null:        true,
+            description: 'Authentication credentials. Resource must be signed_in for credentials to be returned.'
+
+      def resolve(reset_password_token:, **attrs)
+        raise_user_error(I18n.t('graphql_devise.passwords.password_recovery_disabled')) unless recoverable_enabled?
+
+        resource = resource_class.with_reset_password_token(reset_password_token)
+        raise_user_error(I18n.t('graphql_devise.passwords.reset_token_not_found')) if resource.blank?
+        raise_user_error(I18n.t('graphql_devise.passwords.reset_token_expired')) unless resource.reset_password_period_valid?
+
+        if resource.update(attrs)
+          yield resource if block_given?
+
+          response_payload               = { authenticatable: resource }
+          response_payload[:credentials] = set_auth_headers(resource) if controller.signed_in?(resource_name)
+
+          response_payload
+        else
+          raise_user_error_list(
+            I18n.t('graphql_devise.passwords.update_password_error'),
+            errors: resource.errors.full_messages
+          )
+        end
+      end
+    end
+  end
+end

data/lib/graphql_devise/resolvers/check_password_token.rb

@@ -27,6 +27,7 @@ module GraphqlDevise
           )
 
           if redirect_url.present?
+            check_redirect_url_whitelist!(redirect_url)
             controller.redirect_to(resource.build_auth_url(redirect_url, built_redirect_headers))
           else
             set_auth_headers(resource)

data/lib/graphql_devise/resolvers/confirm_account.rb

@@ -7,6 +7,8 @@ module GraphqlDevise
       argument :redirect_url,       String, required: true
 
       def resolve(confirmation_token:, redirect_url:)
+        check_redirect_url_whitelist!(redirect_url)
+
         resource = resource_class.confirm_by_token(confirmation_token)
 
         if resource.errors.empty?

data/lib/graphql_devise/schema_plugin.rb

@@ -2,13 +2,16 @@
 
 module GraphqlDevise
   class SchemaPlugin
+    # NOTE: Based on GQL-Ruby docs  https://graphql-ruby.org/schema/introspection.html
+    INTROSPECTION_FIELDS = ['__schema', '__type', '__typename']
     DEFAULT_NOT_AUTHENTICATED = ->(field) { raise GraphqlDevise::AuthenticationError, "#{field} field requires authentication" }
 
-    def initialize(query: nil, mutation: nil, authenticate_default: true, resource_loaders: [], unauthenticated_proc: DEFAULT_NOT_AUTHENTICATED)
+    def initialize(query: nil, mutation: nil, authenticate_default: true, public_introspection: !Rails.env.production?, resource_loaders: [], unauthenticated_proc: DEFAULT_NOT_AUTHENTICATED)
       @query                = query
       @mutation             = mutation
       @resource_loaders     = resource_loaders
       @authenticate_default = authenticate_default
+      @public_introspection = public_introspection
       @unauthenticated_proc = unauthenticated_proc
 
       # Must happen on initialize so operations are loaded before the types are added to the schema on GQL < 1.10
@@ -24,13 +27,12 @@ module GraphqlDevise
       # Authenticate only root level queries
       return yield unless event == 'execute_field' && path(trace_data).count == 1
 
-      field = traced_field(trace_data)
-      provided_value = authenticate_option(field, trace_data)
-      context = set_current_resource(context_from_data(trace_data))
+      field         = traced_field(trace_data)
+      auth_required = authenticate_option(field, trace_data)
+      context       = context_from_data(trace_data)
 
-      if !provided_value.nil?
-        raise_on_missing_resource(context, field) if provided_value
-      elsif @authenticate_default
+      if auth_required && !(public_introspection && introspection_field?(field))
+        context = set_current_resource(context)
         raise_on_missing_resource(context, field)
       end
 
@@ -39,10 +41,13 @@ module GraphqlDevise
 
     private
 
+    attr_reader :public_introspection
+
     def set_current_resource(context)
-      controller                 = context[:controller]
-      resource_names             = Array(context[:resource_name])
-      context[:current_resource] = resource_names.find do |resource_name|
+      controller     = context[:controller]
+      resource_names = Array(context[:resource_name])
+
+      context[:current_resource] ||= resource_names.find do |resource_name|
         unless Devise.mappings.key?(resource_name)
           raise(
             GraphqlDevise::Error,
@@ -88,11 +93,13 @@ module GraphqlDevise
     end
 
     def authenticate_option(field, trace_data)
-      if trace_data[:context]
+      auth_required = if trace_data[:context]
         field.metadata[:authenticate]
       else
         field.graphql_definition.metadata[:authenticate]
       end
+
+      auth_required.nil? ? @authenticate_default : auth_required
     end
 
     def reconfigure_warden!
@@ -107,6 +114,10 @@ module GraphqlDevise
         resource_loader.call(@query, @mutation)
       end
     end
+
+    def introspection_field?(field)
+      INTROSPECTION_FIELDS.include?(field.name)
+    end
   end
 end
 

data/lib/graphql_devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module GraphqlDevise
-  VERSION = '0.13.5'.freeze
+  VERSION = '0.14.3'.freeze
 end

data/spec/dummy/app/controllers/api/v1/graphql_controller.rb

@@ -6,13 +6,13 @@ module Api
       include GraphqlDevise::Concerns::SetUserByToken
 
       def graphql
-        result = DummySchema.execute(params[:query], execute_params(params))
+        result = DummySchema.execute(params[:query], **execute_params(params))
 
         render json: result unless performed?
       end
 
       def interpreter
-        render json: InterpreterSchema.execute(params[:query], execute_params(params))
+        render json: InterpreterSchema.execute(params[:query], **execute_params(params))
       end
 
       def failing_resource_name

data/spec/dummy/app/graphql/dummy_schema.rb

@@ -2,9 +2,10 @@
 
 class DummySchema < GraphQL::Schema
   use GraphqlDevise::SchemaPlugin.new(
-    query:            Types::QueryType,
-    mutation:         Types::MutationType,
-    resource_loaders: [
+    query:                Types::QueryType,
+    mutation:             Types::MutationType,
+    public_introspection: true,
+    resource_loaders:     [
       GraphqlDevise::ResourceLoader.new(
         'User',
         only: [

data/spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Mutations
+  class ResetAdminPasswordWithToken < GraphqlDevise::Mutations::UpdatePasswordWithToken
+    field :authenticatable, Types::AdminType, null: false
+
+    def resolve(reset_password_token:, **attrs)
+      super do |admin|
+        controller.sign_in(admin)
+      end
+    end
+  end
+end

data/spec/dummy/config/initializers/devise_token_auth.rb

@@ -39,6 +39,8 @@ DeviseTokenAuth.setup do |config|
 
   config.default_confirm_success_url = 'https://google.com'
 
+  config.redirect_whitelist = ['https://google.com']
+
   # By default we will use callbacks for single omniauth.
   # It depends on fields like email, provider and uid.
   # config.default_callbacks = true

data/spec/dummy/config/routes.rb

@@ -15,7 +15,8 @@ Rails.application.routes.draw do
     authenticatable_type: Types::CustomAdminType,
     skip:                 [:sign_up, :check_password_token],
     operations:           {
-      confirm_account: Resolvers::ConfirmAdminAccount
+      confirm_account:            Resolvers::ConfirmAdminAccount,
+      update_password_with_token: Mutations::ResetAdminPasswordWithToken
     },
     at:                   '/api/v1/admin/graphql_auth'
   )

data/spec/dummy/db/migrate/20200623003142_create_schema_users.rb

@@ -41,6 +41,5 @@ class CreateSchemaUsers < ActiveRecord::Migration[6.0]
     add_index :schema_users, [:uid, :provider],     unique: true
     add_index :schema_users, :reset_password_token, unique: true
     add_index :schema_users, :confirmation_token,   unique: true
-    add_index :schema_users, :unlock_token,         unique: true
   end
 end

data/spec/dummy/db/schema.rb

@@ -73,7 +73,6 @@ ActiveRecord::Schema.define(version: 2020_06_23_003142) do
     t.text "tokens"
     t.datetime "created_at", precision: 6, null: false
     t.datetime "updated_at", precision: 6, null: false
-    t.index "\"unlock_token\"", name: "index_schema_users_on_unlock_token", unique: true
     t.index ["confirmation_token"], name: "index_schema_users_on_confirmation_token", unique: true
     t.index ["email"], name: "index_schema_users_on_email", unique: true
     t.index ["reset_password_token"], name: "index_schema_users_on_reset_password_token", unique: true