graphql_devise 0.14.0 → 0.16.0

data/lib/graphql_devise/mount_method/operation_preparers/default_operation_preparer.rb

@@ -4,23 +4,25 @@ module GraphqlDevise
   module MountMethod
     module OperationPreparers
       class DefaultOperationPreparer
-        def initialize(selected_operations:, custom_keys:, mapping_name:, preparer:)
+        def initialize(selected_operations:, custom_keys:, model:, preparer:)
           @selected_operations = selected_operations
           @custom_keys         = custom_keys
-          @mapping_name        = mapping_name
+          @model               = model
           @preparer            = preparer
         end
 
         def call
+          mapping_name = GraphqlDevise.to_mapping_name(@model)
+
           @selected_operations.except(*@custom_keys).each_with_object({}) do |(action, operation_info), result|
-            mapped_action = "#{@mapping_name}_#{action}"
+            mapped_action = "#{mapping_name}_#{action}"
             operation     = operation_info[:klass]
             options       = operation_info.except(:klass)
 
             result[mapped_action.to_sym] = [
               OperationPreparers::GqlNameSetter.new(mapped_action),
               @preparer,
-              OperationPreparers::ResourceNameSetter.new(@mapping_name)
+              OperationPreparers::ResourceKlassSetter.new(@model)
             ].reduce(child_class(operation)) do |prepared_operation, preparer|
               preparer.call(prepared_operation, **options)
             end

data/lib/graphql_devise/mount_method/operation_preparers/{resource_name_setter.rb → resource_klass_setter.rb}

@@ -3,13 +3,13 @@
 module GraphqlDevise
   module MountMethod
     module OperationPreparers
-      class ResourceNameSetter
-        def initialize(name)
-          @name = name
+      class ResourceKlassSetter
+        def initialize(klass)
+          @klass = klass
         end
 
         def call(operation, **)
-          operation.instance_variable_set(:@resource_name, @name)
+          operation.instance_variable_set(:@resource_klass, @klass)
 
           operation
         end

data/lib/graphql_devise/resolvers/confirm_account.rb

@@ -32,7 +32,7 @@ module GraphqlDevise
           end
 
           controller.redirect_to(redirect_to_link)
-          { authenticatable: resource }
+          resource
         else
           raise_user_error(I18n.t('graphql_devise.confirmations.invalid_token'))
         end

data/lib/graphql_devise/resource_loader.rb

@@ -10,12 +10,27 @@ module GraphqlDevise
     end
 
     def call(query, mutation)
-      mapping_name = @resource.to_s.underscore.tr('/', '_').to_sym
-
       # clean_options responds to all keys defined in GraphqlDevise::MountMethod::SUPPORTED_OPTIONS
       clean_options = GraphqlDevise::MountMethod::OptionSanitizer.new(@options).call!
 
-      return clean_options if GraphqlDevise.resource_mounted?(mapping_name) && @routing
+      model = if @resource.is_a?(String)
+        ActiveSupport::Deprecation.warn(<<-DEPRECATION.strip_heredoc, caller)
+          Providing a String as the model you want to mount is deprecated and will be removed in a future version of
+          this gem. Please use the actual model constant instead.
+
+          EXAMPLE
+
+          GraphqlDevise::ResourceLoader.new(User) # instead of GraphqlDevise::ResourceLoader.new('User')
+
+          mount_graphql_devise_for User # instead of mount_graphql_devise_for 'User'
+        DEPRECATION
+        @resource.constantize
+      else
+        @resource
+      end
+
+      # Necesary when mounting a resource via route file as Devise forces the reloading of routes
+      return clean_options if GraphqlDevise.resource_mounted?(model) && @routing
 
       validate_options!(clean_options)
 
@@ -23,7 +38,7 @@ module GraphqlDevise
                              "Types::#{@resource}Type".safe_constantize ||
                              GraphqlDevise::Types::AuthenticatableType
 
-      prepared_mutations = prepare_mutations(mapping_name, clean_options, authenticatable_type)
+      prepared_mutations = prepare_mutations(model, clean_options, authenticatable_type)
 
       if prepared_mutations.any? && mutation.blank?
         raise GraphqlDevise::Error, 'You need to provide a mutation type unless all mutations are skipped'
@@ -33,7 +48,7 @@ module GraphqlDevise
         mutation.field(action, mutation: prepared_mutation, authenticate: false)
       end
 
-      prepared_resolvers = prepare_resolvers(mapping_name, clean_options, authenticatable_type)
+      prepared_resolvers = prepare_resolvers(model, clean_options, authenticatable_type)
 
       if prepared_resolvers.any? && query.blank?
         raise GraphqlDevise::Error, 'You need to provide a query type unless all queries are skipped'
@@ -43,17 +58,17 @@ module GraphqlDevise
         query.field(action, resolver: resolver, authenticate: false)
       end
 
-      GraphqlDevise.add_mapping(mapping_name, @resource)
-      GraphqlDevise.mount_resource(mapping_name) if @routing
+      GraphqlDevise.add_mapping(GraphqlDevise.to_mapping_name(@resource).to_sym, @resource)
+      GraphqlDevise.mount_resource(model) if @routing
 
       clean_options
     end
 
     private
 
-    def prepare_resolvers(mapping_name, clean_options, authenticatable_type)
+    def prepare_resolvers(model, clean_options, authenticatable_type)
       GraphqlDevise::MountMethod::OperationPreparer.new(
-        mapping_name:          mapping_name,
+        model:                 model,
         custom:                clean_options.operations,
         additional_operations: clean_options.additional_queries,
         preparer:              GraphqlDevise::MountMethod::OperationPreparers::ResolverTypeSetter.new(authenticatable_type),
@@ -63,9 +78,9 @@ module GraphqlDevise
       ).call
     end
 
-    def prepare_mutations(mapping_name, clean_options, authenticatable_type)
+    def prepare_mutations(model, clean_options, authenticatable_type)
       GraphqlDevise::MountMethod::OperationPreparer.new(
-        mapping_name:          mapping_name,
+        model:                 model,
         custom:                clean_options.operations,
         additional_operations: clean_options.additional_mutations,
         preparer:              GraphqlDevise::MountMethod::OperationPreparers::MutationFieldSetter.new(authenticatable_type),

data/lib/graphql_devise/schema_plugin.rb

@@ -2,18 +2,20 @@
 
 module GraphqlDevise
   class SchemaPlugin
+    # NOTE: Based on GQL-Ruby docs  https://graphql-ruby.org/schema/introspection.html
+    INTROSPECTION_FIELDS = ['__schema', '__type', '__typename']
     DEFAULT_NOT_AUTHENTICATED = ->(field) { raise GraphqlDevise::AuthenticationError, "#{field} field requires authentication" }
 
-    def initialize(query: nil, mutation: nil, authenticate_default: true, resource_loaders: [], unauthenticated_proc: DEFAULT_NOT_AUTHENTICATED)
+    def initialize(query: nil, mutation: nil, authenticate_default: true, public_introspection: !Rails.env.production?, resource_loaders: [], unauthenticated_proc: DEFAULT_NOT_AUTHENTICATED)
       @query                = query
       @mutation             = mutation
       @resource_loaders     = resource_loaders
       @authenticate_default = authenticate_default
+      @public_introspection = public_introspection
       @unauthenticated_proc = unauthenticated_proc
 
       # Must happen on initialize so operations are loaded before the types are added to the schema on GQL < 1.10
       load_fields
-      reconfigure_warden!
     end
 
     def use(schema_definition)
@@ -24,14 +26,27 @@ module GraphqlDevise
       # Authenticate only root level queries
       return yield unless event == 'execute_field' && path(trace_data).count == 1
 
-      field = traced_field(trace_data)
-      provided_value = authenticate_option(field, trace_data)
-      context = set_current_resource(context_from_data(trace_data))
+      field         = traced_field(trace_data)
+      auth_required = authenticate_option(field, trace_data)
+      context       = context_from_data(trace_data)
 
-      if !provided_value.nil?
-        raise_on_missing_resource(context, field) if provided_value
-      elsif @authenticate_default
-        raise_on_missing_resource(context, field)
+      if context.key?(:resource_name)
+        ActiveSupport::Deprecation.warn(<<-DEPRECATION.strip_heredoc, caller)
+          Providing `resource_name` as part of the GQL context, or doing so by using the `graphql_context(resource_name)`
+          method on your controller is deprecated and will be removed in a future version of this gem.
+          Please use `gql_devise_context` in you controller instead.
+
+          EXAMPLE
+          include GraphqlDevise::Concerns::SetUserByToken
+
+          DummySchema.execute(params[:query], context: gql_devise_context(User))
+          DummySchema.execute(params[:query], context: gql_devise_context(User, Admin))
+        DEPRECATION
+      end
+
+      if auth_required && !(public_introspection && introspection_field?(field))
+        context = set_current_resource(context)
+        raise_on_missing_resource(context, field, auth_required)
       end
 
       yield
@@ -39,10 +54,13 @@ module GraphqlDevise
 
     private
 
+    attr_reader :public_introspection
+
     def set_current_resource(context)
-      controller                 = context[:controller]
-      resource_names             = Array(context[:resource_name])
-      context[:current_resource] = resource_names.find do |resource_name|
+      controller     = context[:controller]
+      resource_names = Array(context[:resource_name])
+
+      context[:current_resource] ||= resource_names.find do |resource_name|
         unless Devise.mappings.key?(resource_name)
           raise(
             GraphqlDevise::Error,
@@ -57,8 +75,12 @@ module GraphqlDevise
       context
     end
 
-    def raise_on_missing_resource(context, field)
+    def raise_on_missing_resource(context, field, auth_required)
       @unauthenticated_proc.call(field.name) if context[:current_resource].blank?
+
+      if auth_required.respond_to?(:call) && !auth_required.call(context[:current_resource])
+        @unauthenticated_proc.call(field.name)
+      end
     end
 
     def context_from_data(trace_data)
@@ -88,16 +110,13 @@ module GraphqlDevise
     end
 
     def authenticate_option(field, trace_data)
-      if trace_data[:context]
+      auth_required = if trace_data[:context]
         field.metadata[:authenticate]
       else
         field.graphql_definition.metadata[:authenticate]
       end
-    end
 
-    def reconfigure_warden!
-      Devise.class_variable_set(:@@warden_configured, nil)
-      Devise.configure_warden!
+      auth_required.nil? ? @authenticate_default : auth_required
     end
 
     def load_fields
@@ -107,6 +126,10 @@ module GraphqlDevise
         resource_loader.call(@query, @mutation)
       end
     end
+
+    def introspection_field?(field)
+      INTROSPECTION_FIELDS.include?(field.name)
+    end
   end
 end
 

data/lib/graphql_devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module GraphqlDevise
-  VERSION = '0.14.0'.freeze
+  VERSION = '0.16.0'.freeze
 end

data/spec/dummy/app/controllers/api/v1/graphql_controller.rb

@@ -6,19 +6,30 @@ module Api
       include GraphqlDevise::Concerns::SetUserByToken
 
       def graphql
-        result = DummySchema.execute(params[:query], execute_params(params))
+        result = DummySchema.execute(params[:query], **execute_params(params))
 
         render json: result unless performed?
       end
 
       def interpreter
-        render json: InterpreterSchema.execute(params[:query], execute_params(params))
+        render json: InterpreterSchema.execute(params[:query], **execute_params(params))
       end
 
       def failing_resource_name
         render json: DummySchema.execute(params[:query], context: graphql_context([:user, :fail]))
       end
 
+      def controller_auth
+        result = DummySchema.execute(
+          params[:query],
+          operation_name: params[:operationName],
+          variables:      ensure_hash(params[:variables]),
+          context:        gql_devise_context(SchemaUser, User)
+        )
+
+        render json: result unless performed?
+      end
+
       private
 
       def execute_params(item)

data/spec/dummy/app/graphql/dummy_schema.rb

@@ -2,9 +2,10 @@
 
 class DummySchema < GraphQL::Schema
   use GraphqlDevise::SchemaPlugin.new(
-    query:            Types::QueryType,
-    mutation:         Types::MutationType,
-    resource_loaders: [
+    query:                Types::QueryType,
+    mutation:             Types::MutationType,
+    public_introspection: true,
+    resource_loaders:     [
       GraphqlDevise::ResourceLoader.new(
         'User',
         only: [

data/spec/dummy/app/graphql/types/query_type.rb

@@ -5,6 +5,7 @@ module Types
     field :user, resolver: Resolvers::UserShow
     field :public_field, String, null: false, authenticate: false
     field :private_field, String, null: false, authenticate: true
+    field :vip_field, String, null: false, authenticate: ->(user) { user.is_a?(User) && user.vip? }
 
     def public_field
       'Field does not require authentication'
@@ -13,5 +14,9 @@ module Types
     def private_field
       'Field will always require authentication'
     end
+
+    def vip_field
+      'Field available only for VIP Users'
+    end
   end
 end

data/spec/dummy/config/routes.rb

@@ -11,7 +11,7 @@ Rails.application.routes.draw do
   }
 
   mount_graphql_devise_for(
-    'Admin',
+    Admin,
     authenticatable_type: Types::CustomAdminType,
     skip:                 [:sign_up, :check_password_token],
     operations:           {
@@ -37,4 +37,5 @@ Rails.application.routes.draw do
   post '/api/v1/graphql', to: 'api/v1/graphql#graphql'
   post '/api/v1/interpreter', to: 'api/v1/graphql#interpreter'
   post '/api/v1/failing', to: 'api/v1/graphql#failing_resource_name'
+  post '/api/v1/controller_auth', to: 'api/v1/graphql#controller_auth'
 end

data/spec/dummy/db/migrate/20200623003142_create_schema_users.rb

@@ -41,6 +41,5 @@ class CreateSchemaUsers < ActiveRecord::Migration[6.0]
     add_index :schema_users, [:uid, :provider],     unique: true
     add_index :schema_users, :reset_password_token, unique: true
     add_index :schema_users, :confirmation_token,   unique: true
-    add_index :schema_users, :unlock_token,         unique: true
   end
 end

data/spec/dummy/db/migrate/20210516211417_add_vip_to_users.rb

@@ -0,0 +1,5 @@
+class AddVipToUsers < ActiveRecord::Migration[6.1]
+  def change
+    add_column :users, :vip, :boolean, null: false, default: false
+  end
+end

data/spec/dummy/db/schema.rb

@@ -2,15 +2,15 @@
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
 #
-# This file is the source Rails uses to define your schema when running `rails
-# db:schema:load`. When creating a new database, `rails db:schema:load` tends to
+# This file is the source Rails uses to define your schema when running `bin/rails
+# db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to
 # be faster and is potentially less error prone than running all of your
 # migrations from scratch. Old migrations may fail to apply correctly if those
 # migrations use external dependencies or application code.
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2020_06_23_003142) do
+ActiveRecord::Schema.define(version: 2021_05_16_211417) do
 
   create_table "admins", force: :cascade do |t|
     t.string "provider", default: "email", null: false
@@ -73,7 +73,6 @@ ActiveRecord::Schema.define(version: 2020_06_23_003142) do
     t.text "tokens"
     t.datetime "created_at", precision: 6, null: false
     t.datetime "updated_at", precision: 6, null: false
-    t.index "\"unlock_token\"", name: "index_schema_users_on_unlock_token", unique: true
     t.index ["confirmation_token"], name: "index_schema_users_on_confirmation_token", unique: true
     t.index ["email"], name: "index_schema_users_on_email", unique: true
     t.index ["reset_password_token"], name: "index_schema_users_on_reset_password_token", unique: true
@@ -106,6 +105,7 @@ ActiveRecord::Schema.define(version: 2020_06_23_003142) do
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
     t.boolean "auth_available", default: true, null: false
+    t.boolean "vip", default: false, null: false
     t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
     t.index ["email"], name: "index_users_on_email", unique: true
     t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true

data/spec/generators/graphql_devise/install_generator_spec.rb

@@ -33,7 +33,7 @@ RSpec.describe GraphqlDevise::InstallGenerator, type: :generator do
 
       assert_file 'app/controllers/application_controller.rb', /^\s{2}include GraphqlDevise::Concerns::SetUserByToken/
 
-      assert_file 'app/graphql/gqld_dummy_schema.rb', /\s+#{Regexp.escape("GraphqlDevise::ResourceLoader.new('Admin')")}/
+      assert_file 'app/graphql/gqld_dummy_schema.rb', /\s+#{Regexp.escape("GraphqlDevise::ResourceLoader.new(Admin)")}/
     end
   end
 

data/spec/graphql/user_queries_spec.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Users controller specs' do
+  include_context 'with graphql schema test'
+
+  let(:schema)          { DummySchema }
+  let(:user)            { create(:user, :confirmed) }
+  let(:field)           { 'privateField' }
+  let(:public_message)  { 'Field does not require authentication' }
+  let(:private_message) { 'Field will always require authentication' }
+  let(:private_error) do
+    {
+      message:    "#{field} field requires authentication",
+      extensions: { code: 'AUTHENTICATION_ERROR' }
+    }
+  end
+
+  describe 'publicField' do
+    let(:query) do
+      <<-GRAPHQL
+        query {
+          publicField
+        }
+      GRAPHQL
+    end
+
+    context 'when using a regular schema' do
+      it 'does not require authentication' do
+        expect(response[:data][:publicField]).to eq(public_message)
+      end
+    end
+  end
+
+  describe 'privateField' do
+    let(:query) do
+      <<-GRAPHQL
+        query {
+          privateField
+        }
+      GRAPHQL
+    end
+
+    context 'when using a regular schema' do
+      context 'when user is authenticated' do
+        let(:resource) { user }
+
+        it 'allows to perform the query' do
+          expect(response[:data][:privateField]).to eq(private_message)
+        end
+
+        context 'when using a SchemaUser' do
+          let(:resource) { create(:schema_user, :confirmed) }
+
+          it 'allows to perform the query' do
+            expect(response[:data][:privateField]).to eq(private_message)
+          end
+        end
+      end
+    end
+
+    context 'when using an interpreter schema' do
+      let(:schema) { InterpreterSchema }
+
+      context 'when user is authenticated' do
+        let(:resource) { user }
+
+        it 'allows to perform the query' do
+          expect(response[:data][:privateField]).to eq(private_message)
+        end
+      end
+    end
+  end
+
+  describe 'user' do
+    let(:user_data) { { email: user.email, id: user.id } }
+    let(:query) do
+      <<-GRAPHQL
+        query {
+          user(
+            id: #{user.id}
+          ) {
+            id
+            email
+          }
+        }
+      GRAPHQL
+    end
+
+    context 'when using a regular schema' do
+      context 'when user is authenticated' do
+        let(:resource) { user }
+
+        it 'allows to perform the query' do
+          expect(response[:data][:user]).to match(**user_data)
+        end
+      end
+    end
+
+    context 'when using an interpreter schema' do
+      let(:schema) { InterpreterSchema }
+
+      context 'when user is authenticated' do
+        let(:resource) { user }
+
+        it 'allows to perform the query' do
+          expect(response[:data][:user]).to match(**user_data)
+        end
+      end
+
+      context 'when user is not authenticated' do
+        # Interpreter schema fields are public unless specified otherwise (plugin setting)
+        it 'allows to perform the query' do
+          expect(response[:data][:user]).to match(**user_data)
+        end
+      end
+    end
+  end
+end