graphql_devise 0.13.6 → 0.15.0

data/lib/graphql_devise/mount_method/operation_preparers/custom_operation_preparer.rb

@@ -4,19 +4,21 @@ module GraphqlDevise
   module MountMethod
     module OperationPreparers
       class CustomOperationPreparer
-        def initialize(selected_keys:, custom_operations:, mapping_name:)
+        def initialize(selected_keys:, custom_operations:, model:)
           @selected_keys     = selected_keys
           @custom_operations = custom_operations
-          @mapping_name      = mapping_name
+          @model             = model
         end
 
         def call
+          mapping_name = GraphqlDevise.to_mapping_name(@model)
+
           @custom_operations.slice(*@selected_keys).each_with_object({}) do |(action, operation), result|
-            mapped_action = "#{@mapping_name}_#{action}"
+            mapped_action = "#{mapping_name}_#{action}"
 
             result[mapped_action.to_sym] = [
               OperationPreparers::GqlNameSetter.new(mapped_action),
-              OperationPreparers::ResourceNameSetter.new(@mapping_name)
+              OperationPreparers::ResourceKlassSetter.new(@model)
             ].reduce(operation) { |prepared_operation, preparer| preparer.call(prepared_operation) }
           end
         end

data/lib/graphql_devise/mount_method/operation_preparers/default_operation_preparer.rb

@@ -4,23 +4,25 @@ module GraphqlDevise
   module MountMethod
     module OperationPreparers
       class DefaultOperationPreparer
-        def initialize(selected_operations:, custom_keys:, mapping_name:, preparer:)
+        def initialize(selected_operations:, custom_keys:, model:, preparer:)
           @selected_operations = selected_operations
           @custom_keys         = custom_keys
-          @mapping_name        = mapping_name
+          @model               = model
           @preparer            = preparer
         end
 
         def call
+          mapping_name = GraphqlDevise.to_mapping_name(@model)
+
           @selected_operations.except(*@custom_keys).each_with_object({}) do |(action, operation_info), result|
-            mapped_action = "#{@mapping_name}_#{action}"
+            mapped_action = "#{mapping_name}_#{action}"
             operation     = operation_info[:klass]
             options       = operation_info.except(:klass)
 
             result[mapped_action.to_sym] = [
               OperationPreparers::GqlNameSetter.new(mapped_action),
               @preparer,
-              OperationPreparers::ResourceNameSetter.new(@mapping_name)
+              OperationPreparers::ResourceKlassSetter.new(@model)
             ].reduce(child_class(operation)) do |prepared_operation, preparer|
               preparer.call(prepared_operation, **options)
             end

data/lib/graphql_devise/mount_method/operation_preparers/{resource_name_setter.rb → resource_klass_setter.rb}

@@ -3,13 +3,13 @@
 module GraphqlDevise
   module MountMethod
     module OperationPreparers
-      class ResourceNameSetter
-        def initialize(name)
-          @name = name
+      class ResourceKlassSetter
+        def initialize(klass)
+          @klass = klass
         end
 
         def call(operation, **)
-          operation.instance_variable_set(:@resource_name, @name)
+          operation.instance_variable_set(:@resource_klass, @klass)
 
           operation
         end

data/lib/graphql_devise/mutations/send_password_reset_with_token.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module GraphqlDevise
+  module Mutations
+    class SendPasswordResetWithToken < Base
+      argument :email,        String, required: true
+      argument :redirect_url, String, required: true
+
+      field :message, String, null: false
+
+      def resolve(email:, redirect_url:)
+        check_redirect_url_whitelist!(redirect_url)
+
+        resource = find_resource(:email, get_case_insensitive_field(:email, email))
+
+        if resource
+          yield resource if block_given?
+
+          resource.send_reset_password_instructions(
+            email:         email,
+            provider:      'email',
+            redirect_url:  redirect_url,
+            template_path: ['graphql_devise/mailer']
+          )
+
+          if resource.errors.empty?
+            { message: I18n.t('graphql_devise.passwords.send_instructions') }
+          else
+            raise_user_error_list(I18n.t('graphql_devise.invalid_resource'), errors: resource.errors.full_messages)
+          end
+        else
+          raise_user_error(I18n.t('graphql_devise.user_not_found'))
+        end
+      end
+    end
+  end
+end

data/lib/graphql_devise/mutations/update_password_with_token.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module GraphqlDevise
+  module Mutations
+    class UpdatePasswordWithToken < Base
+      argument :password,              String, required: true
+      argument :password_confirmation, String, required: true
+      argument :reset_password_token,  String, required: true
+
+      field :credentials,
+            GraphqlDevise::Types::CredentialType,
+            null:        true,
+            description: 'Authentication credentials. Resource must be signed_in for credentials to be returned.'
+
+      def resolve(reset_password_token:, **attrs)
+        raise_user_error(I18n.t('graphql_devise.passwords.password_recovery_disabled')) unless recoverable_enabled?
+
+        resource = resource_class.with_reset_password_token(reset_password_token)
+        raise_user_error(I18n.t('graphql_devise.passwords.reset_token_not_found')) if resource.blank?
+        raise_user_error(I18n.t('graphql_devise.passwords.reset_token_expired')) unless resource.reset_password_period_valid?
+
+        if resource.update(attrs)
+          yield resource if block_given?
+
+          response_payload               = { authenticatable: resource }
+          response_payload[:credentials] = set_auth_headers(resource) if controller.signed_in?(resource_name)
+
+          response_payload
+        else
+          raise_user_error_list(
+            I18n.t('graphql_devise.passwords.update_password_error'),
+            errors: resource.errors.full_messages
+          )
+        end
+      end
+    end
+  end
+end

data/lib/graphql_devise/resolvers/confirm_account.rb

@@ -32,7 +32,7 @@ module GraphqlDevise
           end
 
           controller.redirect_to(redirect_to_link)
-          { authenticatable: resource }
+          resource
         else
           raise_user_error(I18n.t('graphql_devise.confirmations.invalid_token'))
         end

data/lib/graphql_devise/resource_loader.rb

@@ -10,12 +10,27 @@ module GraphqlDevise
     end
 
     def call(query, mutation)
-      mapping_name = @resource.to_s.underscore.tr('/', '_').to_sym
-
       # clean_options responds to all keys defined in GraphqlDevise::MountMethod::SUPPORTED_OPTIONS
       clean_options = GraphqlDevise::MountMethod::OptionSanitizer.new(@options).call!
 
-      return clean_options if GraphqlDevise.resource_mounted?(mapping_name) && @routing
+      model = if @resource.is_a?(String)
+        ActiveSupport::Deprecation.warn(<<-DEPRECATION.strip_heredoc, caller)
+          Providing a String as the model you want to mount is deprecated and will be removed in a future version of
+          this gem. Please use the actual model constant instead.
+
+          EXAMPLE
+
+          GraphqlDevise::ResourceLoader.new(User) # instead of GraphqlDevise::ResourceLoader.new('User')
+
+          mount_graphql_devise_for User # instead of mount_graphql_devise_for 'User'
+        DEPRECATION
+        @resource.constantize
+      else
+        @resource
+      end
+
+      # Necesary when mounting a resource via route file as Devise forces the reloading of routes
+      return clean_options if GraphqlDevise.resource_mounted?(model) && @routing
 
       validate_options!(clean_options)
 
@@ -23,7 +38,7 @@ module GraphqlDevise
                              "Types::#{@resource}Type".safe_constantize ||
                              GraphqlDevise::Types::AuthenticatableType
 
-      prepared_mutations = prepare_mutations(mapping_name, clean_options, authenticatable_type)
+      prepared_mutations = prepare_mutations(model, clean_options, authenticatable_type)
 
       if prepared_mutations.any? && mutation.blank?
         raise GraphqlDevise::Error, 'You need to provide a mutation type unless all mutations are skipped'
@@ -33,7 +48,7 @@ module GraphqlDevise
         mutation.field(action, mutation: prepared_mutation, authenticate: false)
       end
 
-      prepared_resolvers = prepare_resolvers(mapping_name, clean_options, authenticatable_type)
+      prepared_resolvers = prepare_resolvers(model, clean_options, authenticatable_type)
 
       if prepared_resolvers.any? && query.blank?
         raise GraphqlDevise::Error, 'You need to provide a query type unless all queries are skipped'
@@ -43,17 +58,17 @@ module GraphqlDevise
         query.field(action, resolver: resolver, authenticate: false)
       end
 
-      GraphqlDevise.add_mapping(mapping_name, @resource)
-      GraphqlDevise.mount_resource(mapping_name) if @routing
+      GraphqlDevise.add_mapping(GraphqlDevise.to_mapping_name(@resource).to_sym, @resource)
+      GraphqlDevise.mount_resource(model) if @routing
 
       clean_options
     end
 
     private
 
-    def prepare_resolvers(mapping_name, clean_options, authenticatable_type)
+    def prepare_resolvers(model, clean_options, authenticatable_type)
       GraphqlDevise::MountMethod::OperationPreparer.new(
-        mapping_name:          mapping_name,
+        model:                 model,
         custom:                clean_options.operations,
         additional_operations: clean_options.additional_queries,
         preparer:              GraphqlDevise::MountMethod::OperationPreparers::ResolverTypeSetter.new(authenticatable_type),
@@ -63,9 +78,9 @@ module GraphqlDevise
       ).call
     end
 
-    def prepare_mutations(mapping_name, clean_options, authenticatable_type)
+    def prepare_mutations(model, clean_options, authenticatable_type)
       GraphqlDevise::MountMethod::OperationPreparer.new(
-        mapping_name:          mapping_name,
+        model:                 model,
         custom:                clean_options.operations,
         additional_operations: clean_options.additional_mutations,
         preparer:              GraphqlDevise::MountMethod::OperationPreparers::MutationFieldSetter.new(authenticatable_type),

data/lib/graphql_devise/schema_plugin.rb

@@ -2,18 +2,20 @@
 
 module GraphqlDevise
   class SchemaPlugin
+    # NOTE: Based on GQL-Ruby docs  https://graphql-ruby.org/schema/introspection.html
+    INTROSPECTION_FIELDS = ['__schema', '__type', '__typename']
     DEFAULT_NOT_AUTHENTICATED = ->(field) { raise GraphqlDevise::AuthenticationError, "#{field} field requires authentication" }
 
-    def initialize(query: nil, mutation: nil, authenticate_default: true, resource_loaders: [], unauthenticated_proc: DEFAULT_NOT_AUTHENTICATED)
+    def initialize(query: nil, mutation: nil, authenticate_default: true, public_introspection: !Rails.env.production?, resource_loaders: [], unauthenticated_proc: DEFAULT_NOT_AUTHENTICATED)
       @query                = query
       @mutation             = mutation
       @resource_loaders     = resource_loaders
       @authenticate_default = authenticate_default
+      @public_introspection = public_introspection
       @unauthenticated_proc = unauthenticated_proc
 
       # Must happen on initialize so operations are loaded before the types are added to the schema on GQL < 1.10
       load_fields
-      reconfigure_warden!
     end
 
     def use(schema_definition)
@@ -24,13 +26,26 @@ module GraphqlDevise
       # Authenticate only root level queries
       return yield unless event == 'execute_field' && path(trace_data).count == 1
 
-      field = traced_field(trace_data)
-      provided_value = authenticate_option(field, trace_data)
-      context = set_current_resource(context_from_data(trace_data))
+      field         = traced_field(trace_data)
+      auth_required = authenticate_option(field, trace_data)
+      context       = context_from_data(trace_data)
 
-      if !provided_value.nil?
-        raise_on_missing_resource(context, field) if provided_value
-      elsif @authenticate_default
+      if context.key?(:resource_name)
+        ActiveSupport::Deprecation.warn(<<-DEPRECATION.strip_heredoc, caller)
+          Providing `resource_name` as part of the GQL context, or doing so by using the `graphql_context(resource_name)`
+          method on your controller is deprecated and will be removed in a future version of this gem.
+          Please use `gql_devise_context` in you controller instead.
+
+          EXAMPLE
+          include GraphqlDevise::Concerns::SetUserByToken
+
+          DummySchema.execute(params[:query], context: gql_devise_context(User))
+          DummySchema.execute(params[:query], context: gql_devise_context(User, Admin))
+        DEPRECATION
+      end
+
+      if auth_required && !(public_introspection && introspection_field?(field))
+        context = set_current_resource(context)
         raise_on_missing_resource(context, field)
       end
 
@@ -39,10 +54,13 @@ module GraphqlDevise
 
     private
 
+    attr_reader :public_introspection
+
     def set_current_resource(context)
-      controller                 = context[:controller]
-      resource_names             = Array(context[:resource_name])
-      context[:current_resource] = resource_names.find do |resource_name|
+      controller     = context[:controller]
+      resource_names = Array(context[:resource_name])
+
+      context[:current_resource] ||= resource_names.find do |resource_name|
         unless Devise.mappings.key?(resource_name)
           raise(
             GraphqlDevise::Error,
@@ -88,16 +106,13 @@ module GraphqlDevise
     end
 
     def authenticate_option(field, trace_data)
-      if trace_data[:context]
+      auth_required = if trace_data[:context]
         field.metadata[:authenticate]
       else
         field.graphql_definition.metadata[:authenticate]
       end
-    end
 
-    def reconfigure_warden!
-      Devise.class_variable_set(:@@warden_configured, nil)
-      Devise.configure_warden!
+      auth_required.nil? ? @authenticate_default : auth_required
     end
 
     def load_fields
@@ -107,6 +122,10 @@ module GraphqlDevise
         resource_loader.call(@query, @mutation)
       end
     end
+
+    def introspection_field?(field)
+      INTROSPECTION_FIELDS.include?(field.name)
+    end
   end
 end
 

data/lib/graphql_devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module GraphqlDevise
-  VERSION = '0.13.6'.freeze
+  VERSION = '0.15.0'.freeze
 end

data/spec/dummy/app/controllers/api/v1/graphql_controller.rb

@@ -6,19 +6,30 @@ module Api
       include GraphqlDevise::Concerns::SetUserByToken
 
       def graphql
-        result = DummySchema.execute(params[:query], execute_params(params))
+        result = DummySchema.execute(params[:query], **execute_params(params))
 
         render json: result unless performed?
       end
 
       def interpreter
-        render json: InterpreterSchema.execute(params[:query], execute_params(params))
+        render json: InterpreterSchema.execute(params[:query], **execute_params(params))
       end
 
       def failing_resource_name
         render json: DummySchema.execute(params[:query], context: graphql_context([:user, :fail]))
       end
 
+      def controller_auth
+        result = DummySchema.execute(
+          params[:query],
+          operation_name: params[:operationName],
+          variables:      ensure_hash(params[:variables]),
+          context:        gql_devise_context(SchemaUser, User)
+        )
+
+        render json: result unless performed?
+      end
+
       private
 
       def execute_params(item)

data/spec/dummy/app/graphql/dummy_schema.rb

@@ -2,9 +2,10 @@
 
 class DummySchema < GraphQL::Schema
   use GraphqlDevise::SchemaPlugin.new(
-    query:            Types::QueryType,
-    mutation:         Types::MutationType,
-    resource_loaders: [
+    query:                Types::QueryType,
+    mutation:             Types::MutationType,
+    public_introspection: true,
+    resource_loaders:     [
       GraphqlDevise::ResourceLoader.new(
         'User',
         only: [

data/spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Mutations
+  class ResetAdminPasswordWithToken < GraphqlDevise::Mutations::UpdatePasswordWithToken
+    field :authenticatable, Types::AdminType, null: false
+
+    def resolve(reset_password_token:, **attrs)
+      super do |admin|
+        controller.sign_in(admin)
+      end
+    end
+  end
+end

data/spec/dummy/config/routes.rb

@@ -11,11 +11,12 @@ Rails.application.routes.draw do
   }
 
   mount_graphql_devise_for(
-    'Admin',
+    Admin,
     authenticatable_type: Types::CustomAdminType,
     skip:                 [:sign_up, :check_password_token],
     operations:           {
-      confirm_account: Resolvers::ConfirmAdminAccount
+      confirm_account:            Resolvers::ConfirmAdminAccount,
+      update_password_with_token: Mutations::ResetAdminPasswordWithToken
     },
     at:                   '/api/v1/admin/graphql_auth'
   )
@@ -36,4 +37,5 @@ Rails.application.routes.draw do
   post '/api/v1/graphql', to: 'api/v1/graphql#graphql'
   post '/api/v1/interpreter', to: 'api/v1/graphql#interpreter'
   post '/api/v1/failing', to: 'api/v1/graphql#failing_resource_name'
+  post '/api/v1/controller_auth', to: 'api/v1/graphql#controller_auth'
 end

data/spec/dummy/db/migrate/20200623003142_create_schema_users.rb

@@ -41,6 +41,5 @@ class CreateSchemaUsers < ActiveRecord::Migration[6.0]
     add_index :schema_users, [:uid, :provider],     unique: true
     add_index :schema_users, :reset_password_token, unique: true
     add_index :schema_users, :confirmation_token,   unique: true
-    add_index :schema_users, :unlock_token,         unique: true
   end
 end