graphql_devise 0.15.0 → 0.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f90be997c50518d79c6b3fdaee2f896aeec557ca5084a6bac7059a518dd8ec3
-  data.tar.gz: e25b07dee790cd64a48a07970974c6ae3e2a567c9a75321f7af69c693140a342
+  metadata.gz: 12c52068c8c538bc35dc67deb2d697101e1fa001419ccdbff23183e854f5f404
+  data.tar.gz: 65afe18384fb742e8dbc300d19b227815ebe166997147031bbabd63742738205
 SHA512:
-  metadata.gz: 8453243ec0816b2fc828c13f1033b70e97ae71d68c2938af469a435f99a1b26369f0482a4abcda50fbf61c1a9d1fbde12b47a51f6fa42fdbb29afe5aa7f8760e
-  data.tar.gz: 0fb0ef651e1be37157948ce48e24690ec741e543abf5771ad85f6380a640efb9b772195b16132685887cef9eb8f03d923a12406c99877100c6f13408a70280d8
+  metadata.gz: fcf10385aeb27e02f283fa5b5d140f51352508d4a9973dd374edfe78b67a64cfa9b4183e39a8065af5a9697569fac4ed9c21aa007df26fd271b6739c2f9cd5a9
+  data.tar.gz: d3f45d87972e29a325375c1868fced4ef377effcfba6be182c7d8c0b34bdfd6032db66097f0304416ff5966b532fea994d135be0ee48a070c2369668acc3beb2

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [v0.16.0](https://github.com/graphql-devise/graphql_devise/tree/v0.16.0) (2021-05-20)
+
+[Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.15.0...v0.16.0)
+
+**Implemented enhancements:**
+
+- Allow checking of authenticaded resource via callable object [\#180](https://github.com/graphql-devise/graphql_devise/pull/180) ([mcelicalderon](https://github.com/mcelicalderon))
+
+**Merged pull requests:**
+
+- Document authenticate with callable [\#181](https://github.com/graphql-devise/graphql_devise/pull/181) ([mcelicalderon](https://github.com/mcelicalderon))
+
 ## [v0.15.0](https://github.com/graphql-devise/graphql_devise/tree/v0.15.0) (2021-05-09)
 
 [Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.14.3...v0.15.0)

data/README.md

@@ -28,8 +28,10 @@ GraphQL interface on top of the [Devise Token Auth](https://github.com/lynndylan
       * [I18n](#i18n)
       * [Authenticating Controller Actions](#authenticating-controller-actions)
          * [Authenticate Resource in the Controller (>= v0.15.0)](#authenticate-resource-in-the-controller--v0150)
+            * [Authentication Options](#authentication-options)
          * [Authenticate Before Reaching Your GQL Schema (Deprecated)](#authenticate-before-reaching-your-gql-schema-deprecated)
          * [Authenticate in Your GQL Schema (Deprecated)](#authenticate-in-your-gql-schema-deprecated)
+            * [Authentication Options](#authentication-options-1)
          * [Important](#important-2)
       * [Making Requests](#making-requests)
          * [Introspection query](#introspection-query)
@@ -45,7 +47,7 @@ GraphQL interface on top of the [Devise Token Auth](https://github.com/lynndylan
    * [Contributing](#contributing)
    * [License](#license)
 
-<!-- Added by: mcelicalderon, at: Sat May  8 12:32:03 -05 2021 -->
+<!-- Added by: mcelicalderon, at: Wed May 19 21:25:22 -05 2021 -->
 
 <!--te-->
 
@@ -432,7 +434,13 @@ restricted to authenticated users and you can only do this at the root level fie
 schema. Configure the plugin as explained [here](#mounting-operations-into-your-own-schema)
 so this can work.
 
-In you main app's schema this is how you might specify if a field needs to be authenticated or not:
+##### Authentication Options
+Wether you setup authentications as a default in the plugin, or you do it at the field level,
+these are the options you can use:
+1. **Any truthy value:** If `current_resource` is not `.present?`, query will return an authentication error.
+1. **A callable object:** Provided object will be called with `current_resource` as the only argument if `current_resource` is `.present?`. If return value of the callable object is false, query will return an authentication error.
+
+In your main app's schema this is how you might specify if a field needs to be authenticated or not:
 ```ruby
 module Types
   class QueryType < Types::BaseObject
@@ -442,13 +450,11 @@ module Types
     field :public_field, String, null: false, authenticate: false
     # this field requires authentication
     field :private_field, String, null: false, authenticate: true
+    # this field requires authenticated users to also be admins
+    field :admin_field, String, null: false, authenticate: ->(user) { user.admin? }
   end
 end
 ```
-**Important:** Currently, the only check the plugin does to see if the user is authenticated or not when executing
-the query, is verifying that `context[:current_resource].present?` in the GraphQL context.
-So, be careful not to populate that key of the context with values other than what `gql_devise_context`
-returns. The option to do more complex verifications will be added in the future.
 
 #### Authenticate Before Reaching Your GQL Schema (Deprecated)
 For this you will need to call `authenticate_<model>!` in a `before_action` controller hook.
@@ -506,7 +512,13 @@ restricted to authenticated users and you can only do this at the root level fie
 schema. Configure the plugin as explained [here](#mounting-operations-into-your-own-schema)
 so this can work.
 
-In you main app's schema this is how you might specify if a field needs to be authenticated or not:
+##### Authentication Options
+Wether you setup authentications as a default in the plugin, or you do it at the field level,
+these are the options you can use:
+1. **Any truthy value:** If `current_resource` is not `.present?`, query will return an authentication error.
+1. **A callable object:** Provided object will be called with `current_resource` as the only argument if `current_resource` is `.present?`. If return value of the callable object is false, query will return an authentication error.
+
+In your main app's schema this is how you might specify if a field needs to be authenticated or not:
 ```ruby
 module Types
   class QueryType < Types::BaseObject
@@ -516,6 +528,8 @@ module Types
     field :public_field, String, null: false, authenticate: false
     # this field requires authentication
     field :private_field, String, null: false, authenticate: true
+    # this field requires authenticated users to also be admins
+    field :admin_field, String, null: false, authenticate: ->(user) { user.admin? }
   end
 end
 ```

data/lib/graphql_devise/schema_plugin.rb

@@ -46,7 +46,7 @@ module GraphqlDevise
 
       if auth_required && !(public_introspection && introspection_field?(field))
         context = set_current_resource(context)
-        raise_on_missing_resource(context, field)
+        raise_on_missing_resource(context, field, auth_required)
       end
 
       yield
@@ -75,8 +75,12 @@ module GraphqlDevise
       context
     end
 
-    def raise_on_missing_resource(context, field)
+    def raise_on_missing_resource(context, field, auth_required)
       @unauthenticated_proc.call(field.name) if context[:current_resource].blank?
+
+      if auth_required.respond_to?(:call) && !auth_required.call(context[:current_resource])
+        @unauthenticated_proc.call(field.name)
+      end
     end
 
     def context_from_data(trace_data)

data/lib/graphql_devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module GraphqlDevise
-  VERSION = '0.15.0'.freeze
+  VERSION = '0.16.0'.freeze
 end

data/spec/dummy/app/graphql/types/query_type.rb

@@ -5,6 +5,7 @@ module Types
     field :user, resolver: Resolvers::UserShow
     field :public_field, String, null: false, authenticate: false
     field :private_field, String, null: false, authenticate: true
+    field :vip_field, String, null: false, authenticate: ->(user) { user.is_a?(User) && user.vip? }
 
     def public_field
       'Field does not require authentication'
@@ -13,5 +14,9 @@ module Types
     def private_field
       'Field will always require authentication'
     end
+
+    def vip_field
+      'Field available only for VIP Users'
+    end
   end
 end

data/spec/dummy/db/migrate/20210516211417_add_vip_to_users.rb

@@ -0,0 +1,5 @@
+class AddVipToUsers < ActiveRecord::Migration[6.1]
+  def change
+    add_column :users, :vip, :boolean, null: false, default: false
+  end
+end

data/spec/dummy/db/schema.rb

@@ -2,15 +2,15 @@
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
 #
-# This file is the source Rails uses to define your schema when running `rails
-# db:schema:load`. When creating a new database, `rails db:schema:load` tends to
+# This file is the source Rails uses to define your schema when running `bin/rails
+# db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to
 # be faster and is potentially less error prone than running all of your
 # migrations from scratch. Old migrations may fail to apply correctly if those
 # migrations use external dependencies or application code.
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2020_06_23_003142) do
+ActiveRecord::Schema.define(version: 2021_05_16_211417) do
 
   create_table "admins", force: :cascade do |t|
     t.string "provider", default: "email", null: false
@@ -105,6 +105,7 @@ ActiveRecord::Schema.define(version: 2020_06_23_003142) do
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
     t.boolean "auth_available", default: true, null: false
+    t.boolean "vip", default: false, null: false
     t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
     t.index ["email"], name: "index_users_on_email", unique: true
     t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true

data/spec/requests/user_controller_spec.rb

@@ -5,6 +5,14 @@ require 'rails_helper'
 RSpec.describe "Integrations with the user's controller" do
   include_context 'with graphql query request'
 
+  shared_examples 'returns a must authenticate error' do |field|
+    it 'returns a must sign in error' do
+      expect(json_response[:errors]).to contain_exactly(
+        hash_including(message: "#{field} field requires authentication", extensions: { code: 'AUTHENTICATION_ERROR' })
+      )
+    end
+  end
+
   let(:user) { create(:user, :confirmed) }
 
   describe 'publicField' do
@@ -54,11 +62,7 @@ RSpec.describe "Integrations with the user's controller" do
       end
 
       context 'when user is not authenticated' do
-        it 'returns a must sign in error' do
-          expect(json_response[:errors]).to contain_exactly(
-            hash_including(message: 'privateField field requires authentication', extensions: { code: 'AUTHENTICATION_ERROR' })
-          )
-        end
+        it_behaves_like 'returns a must authenticate error', 'privateField'
       end
     end
 
@@ -82,11 +86,7 @@ RSpec.describe "Integrations with the user's controller" do
       end
 
       context 'when user is not authenticated' do
-        it 'returns a must sign in error' do
-          expect(json_response[:errors]).to contain_exactly(
-            hash_including(message: 'privateField field requires authentication', extensions: { code: 'AUTHENTICATION_ERROR' })
-          )
-        end
+        it_behaves_like 'returns a must authenticate error', 'privateField'
       end
 
       context 'when using the failing route' do
@@ -111,11 +111,7 @@ RSpec.describe "Integrations with the user's controller" do
       end
 
       context 'when user is not authenticated' do
-        it 'returns a must sign in error' do
-          expect(json_response[:errors]).to contain_exactly(
-            hash_including(message: 'privateField field requires authentication', extensions: { code: 'AUTHENTICATION_ERROR' })
-          )
-        end
+        it_behaves_like 'returns a must authenticate error', 'privateField'
       end
     end
   end
@@ -141,11 +137,7 @@ RSpec.describe "Integrations with the user's controller" do
       end
 
       context 'when user is not authenticated' do
-        it 'returns a must sign in error' do
-          expect(json_response[:errors]).to contain_exactly(
-            hash_including(message: 'dummyMutation field requires authentication', extensions: { code: 'AUTHENTICATION_ERROR' })
-          )
-        end
+        it_behaves_like 'returns a must authenticate error', 'dummyMutation'
       end
     end
 
@@ -161,11 +153,7 @@ RSpec.describe "Integrations with the user's controller" do
       end
 
       context 'when user is not authenticated' do
-        it 'returns a must sign in error' do
-          expect(json_response[:errors]).to contain_exactly(
-            hash_including(message: 'dummyMutation field requires authentication', extensions: { code: 'AUTHENTICATION_ERROR' })
-          )
-        end
+        it_behaves_like 'returns a must authenticate error', 'dummyMutation'
       end
     end
   end
@@ -199,11 +187,7 @@ RSpec.describe "Integrations with the user's controller" do
       end
 
       context 'when user is not authenticated' do
-        it 'returns a must sign in error' do
-          expect(json_response[:errors]).to contain_exactly(
-            hash_including(message: 'user field requires authentication', extensions: { code: 'AUTHENTICATION_ERROR' })
-          )
-        end
+        it_behaves_like 'returns a must authenticate error', 'user'
       end
     end
 
@@ -271,4 +255,61 @@ RSpec.describe "Integrations with the user's controller" do
       )
     end
   end
+
+  describe 'vipField' do
+    let(:error_message) { 'Field available only for VIP Users' }
+    let(:query) do
+      <<-GRAPHQL
+        query { vipField }
+      GRAPHQL
+    end
+
+    context 'when using a regular schema' do
+      before { post_request('/api/v1/graphql') }
+
+      context 'when user is authenticated' do
+        let(:headers) { user.create_new_auth_token }
+
+        context 'when schema user is VIP' do
+          let(:user) { create(:user, :confirmed, vip: true) }
+
+          it 'allows to perform the query' do
+            expect(json_response[:data][:vipField]).to eq(error_message)
+          end
+        end
+
+        context 'when schema user is not VIP' do
+          it_behaves_like 'returns a must authenticate error', 'vipField'
+        end
+      end
+
+      context 'when user is not authenticated' do
+        it_behaves_like 'returns a must authenticate error', 'vipField'
+      end
+    end
+
+    context 'when using the interpreter schema' do
+      before { post_request('/api/v1/interpreter') }
+
+      context 'when user is authenticated' do
+        let(:headers) { user.create_new_auth_token }
+
+        context 'when schema user is VIP' do
+          let(:user) { create(:user, :confirmed, vip: true) }
+
+          it 'allows to perform the query' do
+            expect(json_response[:data][:vipField]).to eq(error_message)
+          end
+        end
+
+        context 'when schema user is not VIP' do
+          it_behaves_like 'returns a must authenticate error', 'vipField'
+        end
+      end
+
+      context 'when user is not authenticated' do
+        it_behaves_like 'returns a must authenticate error', 'vipField'
+      end
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: graphql_devise
 version: !ruby/object:Gem::Version
-  version: 0.15.0
+  version: 0.16.0
 platform: ruby
 authors:
 - Mario Celi
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-05-09 00:00:00.000000000 Z
+date: 2021-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise_token_auth
@@ -425,6 +425,7 @@ files:
 - spec/dummy/db/migrate/20200321121807_create_users_customers.rb
 - spec/dummy/db/migrate/20200621182414_remove_uncofirmed_email_from_admins.rb
 - spec/dummy/db/migrate/20200623003142_create_schema_users.rb
+- spec/dummy/db/migrate/20210516211417_add_vip_to_users.rb
 - spec/dummy/db/schema.rb
 - spec/dummy/db/seeds.rb
 - spec/dummy/public/robots.txt
@@ -502,7 +503,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.0.3
 signing_key:
 specification_version: 4
 summary: GraphQL queries and mutations on top of devise_token_auth
@@ -574,6 +575,7 @@ test_files:
 - spec/dummy/db/migrate/20200321121807_create_users_customers.rb
 - spec/dummy/db/migrate/20200621182414_remove_uncofirmed_email_from_admins.rb
 - spec/dummy/db/migrate/20200623003142_create_schema_users.rb
+- spec/dummy/db/migrate/20210516211417_add_vip_to_users.rb
 - spec/dummy/db/schema.rb
 - spec/dummy/db/seeds.rb
 - spec/dummy/public/robots.txt