rails-graphql 0.1.3 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cdf2022ac5afdaa3bc0f3068625508c47d5f2df97325427f214f79030f72778b
-  data.tar.gz: 0176fe930c8a991f98c2ad28afb2ebce462fc4a64ad9565fffd8fd29e5ca9019
+  metadata.gz: 8a4e4946f91fcba1ff47ce9ba25b56af87b2a5652f1d414b4d949b46d8e81bb5
+  data.tar.gz: dbd510340b18b079ace3237f5ffb9721b752af2795e34e8778c5687dc9d2af1f
 SHA512:
-  metadata.gz: 0fc23bb1c616165efbdb46ee04697308245a63f6345418dfb5e972d99543c527abcd18cd926786bc9f8de444a39fda60791e1570c4f60b096a0dea501c7bfaeb
-  data.tar.gz: f09ed8ccfb57024a3334589ce1f609efb29eef330f1af235a47d232b881953472e9b2c25190e3b6b3cefbc4927ae1fef841d171dc82d1e2156874b70c5ea3588
+  metadata.gz: df0dbeb5e6d27955c328d7f1c7051324ca47f71e279df2fa0e927cf0d9af0b150c33c209fa1fd3fc09701ce5e0df0137e88c8faff04bf602bc798dd2eda4ea71
+  data.tar.gz: 03f61e059ebea710f08d22452dc736d35efae12174b3a74aff67490fee80b8edf08124f2b17f43656f525b893a548b2c99ff2607dc5442059fa2ab6fef71ca4e

data/lib/rails/graphql.rb

@@ -136,9 +136,7 @@ module Rails # :nodoc:
 
         if (source = xargs.delete(:source)).present?
           location = xargs.delete(:location) || source.try(:directive_location)
-          event ||= GraphQL::Event.new(:attach, source, **xargs.reverse_merge(
-            phase: :definition,
-          ))
+          event ||= GraphQL::Event.new(:attach, source, phase: :definition, **xargs)
         end
 
         Array.wrap(list).each_with_object(Set.new) do |item, result|

data/lib/rails/graphql/callback.rb

@@ -15,7 +15,7 @@ module Rails # :nodoc:
 
       # Directives need to be contextualized by the given instance as +context+
       def self.set_context(item, context)
-        lambda { |*args| item.call(*args, context: context) }
+        lambda { |*args, **xargs| item.call(*args, _callback_context: context, **xargs) }
       end
 
       def initialize(target, event_name, *args, **xargs, &block)
@@ -46,9 +46,12 @@ module Rails # :nodoc:
 
       # This does the whole checking and preparation in order to really execute
       # the callback method
-      def call(event, context: nil)
+      def call(event, *args, _callback_context: nil, **xargs)
         return unless event.name === event_name && can_run?(event)
-        block.is_a?(Symbol) ? call_symbol(event) : call_proc(event, context)
+
+        block.is_a?(Symbol) \
+          ? call_symbol(event, *args, **xargs) \
+          : call_proc(event, _callback_context, *args, **xargs)
       end
 
       # Get a described source location for the callback
@@ -68,38 +71,45 @@ module Rails # :nodoc:
 
       private
 
+        # Find the proper owner of the symbol based callback
+        def owner
+          @owner ||= target.all_owners.find do |item|
+            item.is_a?(Class) ? item.method_defined?(block) : item.respond_to?(block)
+          end || target
+        end
+
         # Using the filters, check if the current callback can be executed
         def can_run?(event)
           filters.all? { |key, options| event_filters[key][:block].call(options, event) }
         end
 
         # Call the callback block as a symbol
-        def call_symbol(event)
-          owner = target.try(:proxied_owner) || target.try(:owner) || target
+        def call_symbol(event, *args, **xargs)
           event.on_instance(owner) do |instance|
             block = instance.method(@block)
-            args, xargs = collect_parameters(event, block)
+            args, xargs = collect_parameters(event, [args, xargs], block)
             block.call(*args, **xargs)
           end
         end
 
         # Call the callback block as a proc
-        def call_proc(event, context = nil)
-          args, xargs = collect_parameters(event)
+        def call_proc(event, context = nil, *args, **xargs)
+          args, xargs = collect_parameters(event, [args, xargs])
           (context || event).instance_exec(*args, **xargs, &block)
         end
 
         # Read the arguments needed for a block then collect them from the
         # event and return the execution args
-        def collect_parameters(event, block = @block)
-          args_source = event.send(:args_source) || event
-          start_args = [@pre_args.deep_dup, @pre_xargs.deep_dup]
-          return start_args unless inject_arguments?
+        def collect_parameters(event, send_args, block = @block)
+          args_source = event.send(:args_source)
+          send_args[0] += @pre_args.deep_dup
+          send_args[1].merge!(@pre_xargs.deep_dup)
+          return send_args unless inject_arguments?
 
           # TODO: Maybe we need to turn procs into lambdas so the optional
           # arguments doesn't suffer any kind of change
           idx = -1
-          block.parameters.each_with_object(start_args) do |(type, name), result|
+          block.parameters.each_with_object(send_args) do |(type, name), result|
             case type
             when :opt, :req
               idx += 1

data/lib/rails/graphql/errors.rb

@@ -38,5 +38,9 @@ module Rails # :nodoc:
     # Error class related to when the captured output value is invalid due to
     # type checking
     InvalidValueError = Class.new(FieldError)
+
+    # Error class related to when a field is unauthorized and can not be used,
+    # similar to disabled fields
+    UnauthorizedFieldError = Class.new(FieldError)
   end
 end

data/lib/rails/graphql/event.rb

@@ -108,7 +108,7 @@ module Rails # :nodoc:
 
       # Call a given block and send the event as reference
       def trigger(block)
-        catchable(:item) { @last_result = block.call(self) }
+        @last_result = catchable(:item) { block.call(self) }
       end
 
       # Stop the execution of an event using a given +layer+. The default is to
@@ -127,6 +127,10 @@ module Rails # :nodoc:
 
       alias call_super call_next
 
+      protected
+
+        alias args_source itself
+
       private
 
         # Add the layer, exec the block and remove the layer
@@ -136,6 +140,17 @@ module Rails # :nodoc:
         ensure
           @layers.pop
         end
+
+        # Check for data based readers
+        def respond_to_missing?(method_name, include_private = false)
+          data.key?(method_name) || super
+        end
+
+        # If the +method_name+ matches any key entry of the provided data, just
+        # return the value stored there
+        def method_missing(method_name, *)
+          data.key?(method_name) ? data[method_name] : super
+        end
     end
   end
 end

data/lib/rails/graphql/field.rb

@@ -38,20 +38,20 @@ module Rails # :nodoc:
 
       autoload :ScopedConfig
 
+      autoload :AuthorizedField
+      autoload :ProxiedField
       autoload :ResolvedField
       autoload :TypedField
-      autoload :ProxiedField
 
       autoload :InputField
       autoload :OutputField
       autoload :MutationField
 
-      delegate :input_type?, :output_type?, :leaf_type?, :proxy?, :mutation?, to: :class
+      attr_reader :name, :gql_name, :owner
 
+      delegate :input_type?, :output_type?, :leaf_type?, :proxy?, :mutation?, to: :class
       delegate :namespaces, to: :owner
 
-      attr_reader :name, :gql_name, :owner
-
       class << self
         # A small shared helper method that allows field information to be
         # proxied
@@ -145,6 +145,11 @@ module Rails # :nodoc:
           (other.nullable? == nullable? || other.nullable? && !nullable?)
       end
 
+      # Return the owner as the single item of the list
+      def all_owners
+        [owner]
+      end
+
       # Checks if the argument can be null
       def null?
         !!@null

data/lib/rails/graphql/field/authorized_field.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Rails # :nodoc:
+  module GraphQL # :nodoc:
+    # This provides ways for fields to be authorized, giving a logical level for
+    # enabling or disabling access to a field. It has a similar structure to
+    # events, but has a different hierarchy of resolution
+    module Field::AuthorizedField
+      # Just add the callbacks setup to the field
+      def self.included(other)
+        other.event_types(:authorize, append: true)
+      end
+
+      # Add either settings for authorization or a block to be executed. It
+      # returns +self+ for chain purposes
+      def authorize(*args, **xargs, &block)
+        @authorizer = [args, xargs, block]
+        self
+      end
+
+      # Return the settings for the authorize process
+      def authorizer
+        @authorizer if authorizable?
+      end
+
+      # Checks if the field should go through an authorization process
+      def authorizable?
+        defined?(@authorizer)
+      end
+    end
+  end
+end
+#

data/lib/rails/graphql/field/mutation_field.rb

@@ -16,9 +16,10 @@ module Rails # :nodoc:
       end
 
       # Add a block or a callable method that is executed before the resolver
-      # but after all the before resolve
+      # but after all the before resolve. It returns +self+ for chain purposes
       def perform(*args, **xargs, &block)
         @performer = Callback.new(self, :perform, *args, **xargs, &block)
+        self
       end
 
       # Get the performer that can be already defined or used through the

data/lib/rails/graphql/field/output_field.rb

@@ -10,6 +10,10 @@ module Rails # :nodoc:
     class Field::OutputField < Field
       include Helpers::WithArguments
       include Helpers::WithValidator
+      include Helpers::WithEvents
+      include Helpers::WithCallbacks
+
+      include Field::AuthorizedField
       include Field::ResolvedField
       include Field::TypedField
 

data/lib/rails/graphql/field/proxied_field.rb

@@ -68,6 +68,11 @@ module Rails # :nodoc:
         field.owner
       end
 
+      # Override this to include proxied owners
+      def all_owners
+        super + proxied_owner.all_owners
+      end
+
       # Return the proxied field
       def proxied_field
         @field

data/lib/rails/graphql/field/resolved_field.rb

@@ -29,16 +29,16 @@ module Rails # :nodoc:
 
       # Just add the callbacks setup to the field
       def self.included(other)
-        other.include(Helpers::WithEvents)
-        other.include(Helpers::WithCallbacks)
-        other.event_types(:prepare, :finalize, expose: true)
+        other.event_types(:prepare, :finalize, append: true, expose: true)
         other.alias_method(:before_resolve, :prepare)
         other.alias_method(:after_resolve, :finalize)
       end
 
-      # Add a block that is performed while resolving a value of a field
+      # Add a block that is performed while resolving a value of a field. It
+      # returns +self+ for chain purposes
       def resolve(*args, **xargs, &block)
         @resolver = Callback.new(self, :resolve, *args, **xargs, &block)
+        self
       end
 
       # Get the resolver that can be already defined or used through the

data/lib/rails/graphql/field/scoped_config.rb

@@ -6,7 +6,7 @@ module Rails # :nodoc:
     # instance of this class works as proxy for changes to the actual field.
     Field::ScopedConfig = Struct.new(:field, :receiver) do
       delegate :argument, :ref_argument, :id_argument, :use, :internal?, :disabled?,
-        :enabled?, :disable!, :enable!, to: :field
+        :enabled?, :disable!, :enable!, :authorize, to: :field
 
       delegate_missing_to :receiver
 

data/lib/rails/graphql/helpers/with_callbacks.rb

@@ -9,7 +9,7 @@ module Rails # :nodoc:
       # symbolic methods
       module WithCallbacks
         DEFAULT_EVENT_TYPES = %i[query mutation subscription request attach
-          organized prepared finalize].freeze
+          authorize organized prepared finalize].freeze
 
         def self.extended(other)
           other.extend(WithCallbacks::Setup)

data/lib/rails/graphql/helpers/with_events.rb

@@ -27,20 +27,20 @@ module Rails # :nodoc:
           # Set or get the list of possible event types when attaching events
           def event_types(*list, append: false, expose: false)
             return (defined?(@event_types) && @event_types.presence) ||
-              superclass.try(:event_types) if list.blank? 
+              superclass.try(:event_types) || [] if list.blank?
 
-            list = event_types if append
-            list += list.flatten.compact.map(&:to_sym)
-            @event_types = list.uniq.freeze
-            expose_events! if expose
+            new_list = append ? event_types : []
+            new_list += list.flatten.compact.map(&:to_sym)
+            @event_types = new_list.uniq.freeze
+            expose_events!(*list) if expose
             @event_types
           end
 
           protected
 
             # Auxiliar method that creates easy-accessible callback assignment
-            def expose_events!
-              event_types.each do |event_name|
+            def expose_events!(*list)
+              list.each do |event_name|
                 next if method_defined?(event_name)
                 define_method(event_name) do |*args, **xargs, &block|
                   on(event_name, *args, **xargs, &block)
@@ -51,7 +51,7 @@ module Rails # :nodoc:
 
         # Mostly for correct inheritance on instances
         def all_events
-          current = (@events || {})
+          current = defined?(@events) ? @events : {}
           return current unless defined? super
           Helpers.merge_hash_array(current, super)
         end

data/lib/rails/graphql/helpers/with_owner.rb

@@ -6,9 +6,16 @@ module Rails # :nodoc:
       # Helper module that allows other objects to hold an +assigned_to+ object
       module WithOwner
         def self.included(other)
+          other.extend(WithOwner::ClassMethods)
           other.class_attribute(:owner, instance_writer: false)
         end
 
+        module ClassMethods # :nodoc: all
+          def method_defined?(method_name)
+            super || owner&.method_defined?(method_name)
+          end
+        end
+
         private
 
           def respond_to_missing?(*args) # :nodoc:
@@ -24,8 +31,9 @@ module Rails # :nodoc:
 
           # Since owners are classes, this checks for the instance methods of
           # it, since this is a instance method
-          def owner_respond_to?(method_name, include_private = false)
-            (include_private ? %i[public protected private] : %i[public]).any? do |type|
+          def owner_respond_to?(method_name, with_private = false)
+            return true if !owner.is_a?(Class) && owner.respond_to?(method_name, with_private)
+            (with_private ? %i[public protected private] : %i[public]).any? do |type|
               owner.send("#{type}_instance_methods").include?(method_name)
             end unless owner.nil?
           end

data/lib/rails/graphql/helpers/with_schema_fields.rb

@@ -189,7 +189,11 @@ module Rails # :nodoc:
         SCHEMA_FIELD_TYPES.each do |kind, type_name|
           class_eval <<-RUBY, __FILE__, __LINE__ + 1
             def #{kind}_field?(name)
-              field?(:#{kind}, name)
+              has_field?(:#{kind}, name)
+            end
+
+            def #{kind}_field(name)
+              find_field(:#{kind}, name)
             end
 
             def #{kind}_fields(&block)

data/lib/rails/graphql/request.rb

@@ -20,6 +20,7 @@ module Rails # :nodoc:
 
       eager_autoload do
         autoload_under :steps do
+          autoload :Authorizable
           autoload :Organizable
           autoload :Prepareable
           autoload :Resolveable
@@ -42,8 +43,6 @@ module Rails # :nodoc:
       attr_reader :schema, :visitor, :operations, :fragments, :errors,
         :args, :response, :strategy, :stack
 
-      delegate :all_listeners, to: :schema
-
       class << self
         # Shortcut for initialize, set context, and execute
         def execute(*args, schema: nil, namespace: :base, context: {}, **xargs)
@@ -79,6 +78,11 @@ module Rails # :nodoc:
         ensure_schema!
       end
 
+      # Cache all the schema listeners for this current request
+      def all_listeners
+        @all_listeners ||= schema.all_listeners
+      end
+
       # Cache all the schema events for this current request
       def all_events
         @all_events ||= schema.all_events
@@ -127,7 +131,7 @@ module Rails # :nodoc:
       # Add the given +exception+ to the errors using the +node+ location
       def exception_to_error(exception, node, **xargs)
         xargs[:exception] = exception.class.name
-        report_node_error(exception.message, node, **xargs)
+        report_node_error(xargs.delete(:message) || exception.message, node, **xargs)
       end
 
       # A little helper to report an error on a given node

data/lib/rails/graphql/request/component/field.rb

@@ -8,6 +8,7 @@ module Rails # :nodoc:
       # This class holds information about a given field that should be
       # collected from the source of where it was requested.
       class Component::Field < Component
+        include Authorizable
         include ValueWriters
         include SelectionSet
         include Directives
@@ -40,13 +41,16 @@ module Rails # :nodoc:
         # Override that considers the requested field directives and also the
         # definition field events, both from itself and its directives events
         def all_listeners
-          field.all_listeners + super
+          (request.cache(:listeners)[field] ||= field.all_listeners) + super
         end
 
         # Override that considers the requested field directives and also the
         # definition field events, both from itself and its directives events
         def all_events
-          @all_events ||= Helpers.merge_hash_array(field.all_events, super)
+          @all_events ||= Helpers.merge_hash_array(
+            (request.cache(:events)[field] ||= field.all_events),
+            super,
+          )
         end
 
         # Get and cache all the arguments for the field
@@ -129,6 +133,7 @@ module Rails # :nodoc:
           def organize_then(&block)
             super(block) do
               check_assignment!
+              check_authorization!
 
               parse_arguments
               parse_directives
@@ -183,10 +188,10 @@ module Rails # :nodoc:
           def trigger_event(event_name, **xargs)
             return super if !defined?(@current_object) || @current_object.nil?
 
-            listeners = request.cache(:dynamic_listeners)[field] ||= field.all_listeners
+            listeners = request.cache(:listeners)[field] ||= field.all_listeners
             return super unless listeners.include?(event_name)
 
-            callbacks = request.cache(:dynamic_events)[field] ||= field.all_events
+            callbacks = request.cache(:events)[field] ||= field.all_events
             old_events, @all_events = @all_events, callbacks
             super
           ensure

data/lib/rails/graphql/request/event.rb

@@ -70,13 +70,13 @@ module Rails # :nodoc:
           args_source.try(:[], name.to_sym)
         end
 
+        alias arg argument
+
         # A combined helper for +instance_for+ and +set_on+
-        def on_instance(klass, &block)
-          set_on(klass.is_a?(Class) ? instance_for(klass) : klass, &block)
+        def on_instance(object, &block)
+          set_on(object.is_a?(Class) ? instance_for(object) : object, &block)
         end
 
-        alias arg argument
-
         protected
 
           # When performing an event under a field object, the keyed-based

data/lib/rails/graphql/request/helpers/directives.rb

@@ -6,12 +6,13 @@ module Rails # :nodoc:
       # Helper module to collect the directives from fragments, operations, and
       # fields.
       module Directives
-        # Get the list of listeners from all directives
+        # Get the list of listeners from directives set during the request only
         def all_listeners
           directives.map(&:all_listeners).reduce(:+) || Set.new
         end
 
-        # Get the list of events from all directives and caches it by request
+        # Get the list of events from directives set during the request only and
+        # then caches it by request
         def all_events
           @all_events ||= directives.map(&:all_events).inject({}) do |lhash, rhash|
             Helpers.merge_hash_array(lhash, rhash)

data/lib/rails/graphql/request/steps/authorizable.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+module Rails # :nodoc:
+  module GraphQL # :nodoc:
+    class Request # :nodoc:
+      # Helper methods for the authorize step of a request
+      module Authorizable
+        # Event used to perform an authorization step
+        class Event < GraphQL::Event
+          # Similar to trigger for object, but with an extra extension for
+          # instance methods defined on the given object
+          def authorize_using(object, send_args, events = nil)
+            cache = data[:request].cache(name)[object] ||= []
+            return false if cache.present? && cache.none?
+            args, xargs = send_args
+
+            # Authorize through instance method
+            using_object = cache[0] ||= authorize_on_object(object)
+            set_on(using_object) do |instance|
+              instance.public_send("#{name}!", self, *args, **xargs)
+            end if using_object
+
+            # Authorize through events
+            using_events = cache[1] ||= (events || object.all_events[name]).presence
+            using_events&.each { |block| block.call(self, *args, **xargs) }
+
+            # Does any authorize process ran
+            cache.any?
+          end
+
+          # Simply unauthorize the operation
+          def unauthorize!(*, message: nil, **)
+            raise UnauthorizedFieldError, message || <<~MSG.squish
+              Unauthorized access to "#{field.gql_name}" field.
+            MSG
+          end
+
+          # Simply authorize the operation
+          def authorize!(*)
+            throw :authorized
+          end
+
+          private
+
+            # Check if it should run call an +authorize!+ method on the given
+            # +object+. Classes are turn into instance through strategy
+            def authorize_on_object(object)
+              as_class = object.is_a?(Class)
+              checker = as_class ? :method_defined? : :respond_to?
+
+              return false unless object.public_send(checker, :authorize!)
+              as_class ? data[:request].strategy.instance_for(object) : object
+            end
+        end
+
+        # Check if the field is correctly authorized to be executed
+        def check_authorization!
+          return unless field.authorizable?
+          *args, block = field.authorizer
+
+          catch(:authorized) do
+            event = authorization_event
+            schema_events = request.all_events[:authorize]
+            executed = event.authorize_using(schema, args, schema_events)
+
+            element = field
+            while element && element != schema
+              executed = event.authorize_using(element, args) || executed
+              element = element.try(:owner)
+            end
+
+            if block.present?
+              block.call(event, *args[0], **args[1])
+              executed = true
+            end
+
+            event.unauthorize!(message: <<~MSG.squish) unless executed
+              Authorization required but unable to be executed
+            MSG
+          end
+        rescue UnauthorizedFieldError => error
+          request.rescue_with_handler(error)
+          request.exception_to_error(error, @node)
+          invalidate!
+        end
+
+        private
+
+          # Build and store the authorization event
+          def authorization_event
+            Event.new(:authorize, self,
+              request: request,
+              schema: schema,
+              field: field,
+              memo: memo,
+            )
+          end
+      end
+    end
+  end
+end

data/lib/rails/graphql/request/strategy.rb

@@ -37,6 +37,7 @@ module Rails # :nodoc:
 
         def initialize(request)
           @request = request
+          @objects_pool = {}
           collect_request_listeners
         end
 
@@ -205,7 +206,6 @@ module Rails # :nodoc:
           # it can load data in a pretty smart way
           def collect_data
             @data_pool = {}
-            @objects_pool = {}
             @context = request.build(Request::Context)
 
             # TODO: Create an orchestrator to allow cross query loading

data/lib/rails/graphql/source/active_record_source.rb

@@ -150,13 +150,13 @@ module Rails # :nodoc:
       end
 
       # Prepare to load multiple records from the underlying table
-      def load_records
-        inject_scopes(model.all, :relation)
+      def load_records(scope = model.default_scoped)
+        inject_scopes(scope, :relation)
       end
 
       # Prepare to load a single record from the underlying table
-      def load_record
-        load_records.find(event.argument(primary_key))
+      def load_record(scope = model.default_scoped)
+        scope.find(event.argument(primary_key))
       end
 
       # Get the chain result and preload the records with thre resulting scope
@@ -166,7 +166,7 @@ module Rails # :nodoc:
 
       # Collect a scope for filters applied to a given association
       def build_association_scope(association)
-        scope = model._reflect_on_association(association).klass.unscoped
+        scope = model._reflect_on_association(association).klass.default_scoped
 
         # Apply proxied injected scopes
         proxied = event.field.try(:proxied_owner)

data/lib/rails/graphql/source/scoped_arguments.rb

@@ -45,7 +45,7 @@ module Rails # :nodoc:
           # Add a new scoped param to the list
           def scoped_argument(param, type = :string, proc_method = nil, **settings, &block)
             block = proc_method if proc_method.present? && block.nil?
-            argument = Argument.new(param, type, **settings.merge(owner: self), &block)
+            argument = Argument.new(param, type, **settings, owner: self, &block)
             (@scoped_arguments ||= {})[argument.name] = argument
           end
 

data/lib/rails/graphql/type_map.rb

@@ -223,11 +223,11 @@ module Rails # :nodoc:
         namespaces += [:base] unless namespaces.include?(:base) || exclusive
 
         iterated = []
-        enumerator = Enumerator::Lazy.new(namespaces.uniq) do |yielder, *values|
-          next unless @index.key?(values.last)
+        enumerator = Enumerator::Lazy.new(namespaces.uniq) do |yielder, item|
+          next unless @index.key?(item)
 
           # Only iterate over string based types
-          @index[values.last][base_class]&.each do |_key, value|
+          @index[item][base_class]&.each do |_key, value|
             next if iterated.include?(value = value.call) || value.blank?
             iterated << value
             yielder << value

data/lib/rails/graphql/version.rb

@@ -2,6 +2,6 @@
 
 module Rails # :nodoc:
   module GraphQL # :nodoc:
-    VERSION = '0.1.3'
+    VERSION = '0.2.0'
   end
 end

data/test/integration/authorization/authorization_test.rb

@@ -0,0 +1,112 @@
+require 'integration/config'
+
+class Integration_Memory_AuthorizationTest < GraphQL::IntegrationTestCase
+  load_schema 'authorization'
+
+  SCHEMA = ::AuthorizationSchema
+  EXCEPTION_NAME = 'Rails::GraphQL::UnauthorizedFieldError'
+  EXCEPTION_PATH = ['errors', 0, 'extensions', 'exception']
+
+  SAMPLE1 = { data: { sample1: 'Ok 1' } }
+  SAMPLE2 = { data: { sample2: 'Ok 2' } }
+
+  def test_field_event_types
+    assert_includes(SCHEMA.query_field(:sample1).event_types, :authorize)
+  end
+
+  def test_without_authorization
+    assert_result(SAMPLE1, '{ sample1 }')
+  end
+
+  def test_with_simple_authorization
+    assert_exception('{ sample2 }')
+    assert_result({ sample1: 'Ok 1', sample2: nil }, '{ sample1 sample2 }', dig: 'data')
+
+    SCHEMA.stub_imethod(:authorize!, &:authorize!).call do
+      assert_result(SAMPLE2, '{ sample2 }')
+    end
+
+    SCHEMA.stub_imethod(:authorize!, &:unauthorize!).call do
+      assert_exception('{ sample2 }')
+    end
+  end
+
+  def test_with_block_authorization
+    field = SCHEMA.query_field(:sample1)
+
+    field.stub_ivar(:@authorizer, [[], {}, method(:executed!)]) do
+      assert_executed { assert_result(SAMPLE1, '{ sample1 }') }
+    end
+
+    block = ->(ev) { executed! && ev.unauthorize! }
+    field.stub_ivar(:@authorizer, [[], {}, block]) do
+      assert_executed { assert_exception('{ sample1 }') }
+    end
+  end
+
+  def test_with_field_event_authorization
+    field = SCHEMA.query_field(:sample2)
+
+    field.stub_ivar(:@events, { authorize: [method(:executed!)] }) do
+      assert_executed { assert_result(SAMPLE2, '{ sample2 }') }
+
+      assert_executed do
+        field.on(:authorize) { |event| event.unauthorize! }
+        assert_exception('{ sample2 }')
+      end
+    end
+  end
+
+  def test_with_directive
+    field = SCHEMA.query_field(:sample2)
+
+    auth_directive = unmapped_class(Rails::GraphQL::Directive)
+    auth_directive.on(:authorize, &method(:executed!))
+
+    auth_directive.stub_ivar(:@gql_name, 'AuthDirective') do
+      field.stub_ivar(:@directives, [auth_directive.new]) do
+        assert_executed { assert_result(SAMPLE2, '{ sample2 }') }
+      end
+
+      SCHEMA.stub_ivar(:@directives, [auth_directive.new]) do
+        assert_executed { assert_result(SAMPLE2, '{ sample2 }') }
+      end
+    end
+  end
+
+  def test_authorize_bypass
+    field = SCHEMA.query_field(:sample2)
+    auth_block   = ->(e, event) { e.call && event.authorize!   }.curry(2)[method(:executed!)]
+    unauth_block = ->(e, event) { e.call && event.unauthorize! }.curry(2)[method(:executed!)]
+
+    field.stub_ivar(:@events, { authorize: [unauth_block] }) do
+      SCHEMA.stub_imethod(:authorize!, &auth_block).call do
+        assert_executed { assert_result(SAMPLE2, '{ sample2 }') }
+      end
+    end
+
+    field.stub_ivar(:@events, { authorize: [auth_block] }) do
+      SCHEMA.stub_imethod(:authorize!, &unauth_block).call do
+        assert_executed { assert_exception('{ sample2 }') }
+      end
+    end
+  end
+
+  protected
+
+    def executed!(*)
+      @executed += 1
+    end
+
+    def assert_executed(times = 1)
+      @executed = 0
+      yield
+      assert_equal(times, @executed)
+    ensure
+      remove_instance_variable(:@executed)
+    end
+
+    def assert_exception(query, *args, **xargs)
+      assert_result(EXCEPTION_NAME, query, *args, dig: EXCEPTION_PATH, **xargs)
+    end
+end

data/test/integration/schemas/authorization.rb

@@ -0,0 +1,12 @@
+class AuthorizationSchema < GraphQL::Schema
+  namespace :authorization
+
+  configure do |config|
+    config.enable_string_collector = false
+  end
+
+  query_fields do
+    field(:sample1, :string).resolve { 'Ok 1' }
+    field(:sample2, :string).authorize.resolve { 'Ok 2' }
+  end
+end

data/test/test_ext.rb

@@ -28,6 +28,20 @@ class Object < BasicObject
     const_set(name, old_value) if defined? old_value
   end
 
+  def stub_imethod(name, &block)
+    lambda do |&run_block|
+      alias_method(:"_old_#{name}", name) if (reset_old = method_defined?(name))
+      define_method(name, &block)
+      run_block.call
+    ensure
+      undef_method(name)
+      if reset_old
+        alias_method(name, :"_old_#{name}")
+        undef_method(:"_old_#{name}")
+      end
+    end
+  end
+
   def get_reset_ivar(name, *extra, &block)
     instance_variable_set(name, extra.first) if extra.any?
     instance_exec(&block)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails-graphql
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.2.0
 platform: ruby
 authors:
 - Carlos Silva
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-12-22 00:00:00.000000000 Z
+date: 2021-01-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -307,6 +307,7 @@ files:
 - lib/rails/graphql/errors.rb
 - lib/rails/graphql/event.rb
 - lib/rails/graphql/field.rb
+- lib/rails/graphql/field/authorized_field.rb
 - lib/rails/graphql/field/input_field.rb
 - lib/rails/graphql/field/mutation_field.rb
 - lib/rails/graphql/field/output_field.rb
@@ -355,6 +356,7 @@ files:
 - lib/rails/graphql/request/helpers/directives.rb
 - lib/rails/graphql/request/helpers/selection_set.rb
 - lib/rails/graphql/request/helpers/value_writers.rb
+- lib/rails/graphql/request/steps/authorizable.rb
 - lib/rails/graphql/request/steps/organizable.rb
 - lib/rails/graphql/request/steps/prepareable.rb
 - lib/rails/graphql/request/steps/resolveable.rb
@@ -427,10 +429,12 @@ files:
 - test/graphql/type_map_test.rb
 - test/graphql/type_test.rb
 - test/graphql_test.rb
+- test/integration/authorization/authorization_test.rb
 - test/integration/config.rb
 - test/integration/memory/star_wars_introspection_test.rb
 - test/integration/memory/star_wars_query_test.rb
 - test/integration/memory/star_wars_validation_test.rb
+- test/integration/schemas/authorization.rb
 - test/integration/schemas/memory.rb
 - test/integration/schemas/sqlite.rb
 - test/integration/sqlite/star_wars_introspection_test.rb
@@ -503,7 +507,9 @@ test_files:
 - test/integration/memory/star_wars_validation_test.rb
 - test/integration/schemas/memory.rb
 - test/integration/schemas/sqlite.rb
+- test/integration/schemas/authorization.rb
 - test/integration/sqlite/star_wars_introspection_test.rb
 - test/integration/sqlite/star_wars_mutation_test.rb
 - test/integration/sqlite/star_wars_query_test.rb
+- test/integration/authorization/authorization_test.rb
 - test/test_ext.rb