Merge pull request #154 from graphql-devise/allow-interpreter-query-to-be-executed-without-auth

00dav00 · web-flow · commit 1d101e654daf · 2021-03-07T11:47:24.000-05:00
Add config for public introspection query on schema plugin
diff --git a/lib/graphql_devise/schema_plugin.rb b/lib/graphql_devise/schema_plugin.rb
@@ -2,13 +2,16 @@
 
 module GraphqlDevise
   class SchemaPlugin
+    # NOTE: Based on GQL-Ruby docs  https://graphql-ruby.org/schema/introspection.html
+    INTROSPECTION_FIELDS = ['__schema', '__type', '__typename']
     DEFAULT_NOT_AUTHENTICATED = ->(field) { raise GraphqlDevise::AuthenticationError, "#{field} field requires authentication" }
 
-    def initialize(query: nil, mutation: nil, authenticate_default: true, resource_loaders: [], unauthenticated_proc: DEFAULT_NOT_AUTHENTICATED)
+    def initialize(query: nil, mutation: nil, authenticate_default: true, public_introspection: !Rails.env.production?, resource_loaders: [], unauthenticated_proc: DEFAULT_NOT_AUTHENTICATED)
       @query                = query
       @mutation             = mutation
       @resource_loaders     = resource_loaders
       @authenticate_default = authenticate_default
+      @public_introspection = public_introspection
       @unauthenticated_proc = unauthenticated_proc
 
       # Must happen on initialize so operations are loaded before the types are added to the schema on GQL < 1.10
@@ -28,7 +31,7 @@ def trace(event, trace_data)
       auth_required = authenticate_option(field, trace_data)
       context       = context_from_data(trace_data)
 
-      if auth_required
+      if auth_required && !(public_introspection && introspection_field?(field))
         context = set_current_resource(context)
         raise_on_missing_resource(context, field)
       end
@@ -38,6 +41,8 @@ def trace(event, trace_data)
 
     private
 
+    attr_reader :public_introspection
+
     def set_current_resource(context)
       controller     = context[:controller]
       resource_names = Array(context[:resource_name])
@@ -109,6 +114,10 @@ def load_fields
         resource_loader.call(@query, @mutation)
       end
     end
+
+    def introspection_field?(field)
+      INTROSPECTION_FIELDS.include?(field.name)
+    end
   end
 end
 
diff --git a/spec/dummy/app/graphql/dummy_schema.rb b/spec/dummy/app/graphql/dummy_schema.rb
@@ -2,9 +2,10 @@
 
 class DummySchema < GraphQL::Schema
   use GraphqlDevise::SchemaPlugin.new(
-    query:            Types::QueryType,
-    mutation:         Types::MutationType,
-    resource_loaders: [
+    query:                Types::QueryType,
+    mutation:             Types::MutationType,
+    public_introspection: true,
+    resource_loaders:     [
       GraphqlDevise::ResourceLoader.new(
         'User',
         only: [
diff --git a/spec/requests/queries/introspection_query_spec.rb b/spec/requests/queries/introspection_query_spec.rb
@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Login Requests' do
+  include_context 'with graphql query request'
+
+  let(:query) do
+    <<-GRAPHQL
+      query IntrospectionQuery {
+        __schema {
+          queryType { name }
+          mutationType { name }
+          subscriptionType { name }
+          types {
+            ...FullType
+          }
+          directives {
+            name
+            description
+            args {
+              ...InputValue
+            }
+            onOperation
+            onFragment
+            onField
+          }
+        }
+      }
+
+      fragment FullType on __Type {
+        kind
+        name
+        description
+        fields(includeDeprecated: true) {
+          name
+          description
+          args {
+            ...InputValue
+          }
+          type {
+            ...TypeRef
+          }
+          isDeprecated
+          deprecationReason
+        }
+        inputFields {
+          ...InputValue
+        }
+        interfaces {
+          ...TypeRef
+        }
+        enumValues(includeDeprecated: true) {
+          name
+          description
+          isDeprecated
+          deprecationReason
+        }
+        possibleTypes {
+          ...TypeRef
+        }
+      }
+
+      fragment InputValue on __InputValue {
+        name
+        description
+        type { ...TypeRef }
+        defaultValue
+      }
+
+      fragment TypeRef on __Type {
+        kind
+        name
+        ofType {
+          kind
+          name
+          ofType {
+            kind
+            name
+            ofType {
+              kind
+              name
+            }
+          }
+        }
+      }
+
+    GRAPHQL
+  end
+
+  context 'when using a schema plugin to mount devise operations' do
+    context 'when schema plugin is set to authenticate by default' do
+      context 'when the resource is authenticated' do
+        let(:user) { create(:user, :confirmed) }
+        let(:headers) { user.create_new_auth_token }
+
+        it 'return the schema information' do
+          post_request('/api/v1/graphql')
+
+          expect(json_response[:data][:__schema].keys).to contain_exactly(
+            :queryType, :mutationType, :subscriptionType, :types, :directives
+          )
+        end
+      end
+
+      context 'when the resource is *NOT* authenticated' do
+        context 'and instrospection is set to be public' do
+          it 'return the schema information' do
+            post_request('/api/v1/graphql')
+
+            expect(json_response[:data][:__schema].keys).to contain_exactly(
+              :queryType, :mutationType, :subscriptionType, :types, :directives
+            )
+          end
+        end
+
+        context 'and introspection is set to require auth' do
+          before do
+            allow_any_instance_of(GraphqlDevise::SchemaPlugin).to(
+              receive(:public_introspection).and_return(false)
+            )
+          end
+
+          it 'return an error' do
+            post_request('/api/v1/graphql')
+
+            expect(json_response[:data]).to be_nil
+            expect(json_response[:errors]).to contain_exactly(
+              hash_including(
+                message:    '__schema field requires authentication',
+                extensions: { code: 'AUTHENTICATION_ERROR' }
+              )
+            )
+          end
+        end
+      end
+    end
+
+    context 'when schema plugin is set *NOT* to authenticate by default' do
+      it 'return the schema information' do
+        post_request('/api/v1/interpreter')
+
+        expect(json_response[:data][:__schema].keys).to contain_exactly(
+          :queryType, :mutationType, :subscriptionType, :types, :directives
+        )
+      end
+    end
+  end
+end
