Avoid setting current resource on public fields

David Revelo · David Revelo · commit ab716ff5e089 · 2021-02-10T08:55:59.000-05:00
diff --git a/lib/graphql_devise/schema_plugin.rb b/lib/graphql_devise/schema_plugin.rb
@@ -24,13 +24,12 @@ def trace(event, trace_data)
       # Authenticate only root level queries
       return yield unless event == 'execute_field' && path(trace_data).count == 1
 
-      field = traced_field(trace_data)
-      provided_value = authenticate_option(field, trace_data)
-      context = set_current_resource(context_from_data(trace_data))
+      field         = traced_field(trace_data)
+      auth_required = authenticate_option(field, trace_data)
+      context       = context_from_data(trace_data)
 
-      if !provided_value.nil?
-        raise_on_missing_resource(context, field) if provided_value
-      elsif @authenticate_default
+      if auth_required
+        context = set_current_resource(context)
         raise_on_missing_resource(context, field)
       end
 
@@ -89,11 +88,13 @@ def traced_field(trace_data)
     end
 
     def authenticate_option(field, trace_data)
-      if trace_data[:context]
+      auth_required = if trace_data[:context]
         field.metadata[:authenticate]
       else
         field.graphql_definition.metadata[:authenticate]
       end
+
+      auth_required.nil? ? @authenticate_default : auth_required
     end
 
     def reconfigure_warden!
diff --git a/spec/graphql/user_queries_spec.rb b/spec/graphql/user_queries_spec.rb
@@ -2,7 +2,7 @@
 
 require 'rails_helper'
 
-RSpec.describe 'Sign Up process' do
+RSpec.describe 'Users controller specs' do
   include_context 'with graphql schema test'
 
   let(:schema)          { DummySchema }
@@ -58,12 +58,6 @@
           end
         end
       end
-
-      context 'when user is not authenticated' do
-        it 'returns a must sign in error' do
-          expect(response[:errors]).to contain_exactly(hash_including(**private_error))
-        end
-      end
     end
 
     context 'when using an interpreter schema' do
@@ -76,12 +70,6 @@
           expect(response[:data][:privateField]).to eq(private_message)
         end
       end
-
-      context 'when user is not authenticated' do
-        it 'returns a must sign in error' do
-          expect(response[:errors]).to contain_exactly(hash_including(**private_error))
-        end
-      end
     end
   end
 
@@ -106,14 +94,6 @@
           expect(response[:data][:user]).to match(**user_data)
         end
       end
-
-      context 'when user is not authenticated' do
-        let(:field) { 'user' }
-
-        it 'returns a must sign in error' do
-          expect(response[:errors]).to contain_exactly(hash_including(**private_error))
-        end
-      end
     end
 
     context 'when using an interpreter schema' do
diff --git a/spec/requests/user_controller_spec.rb b/spec/requests/user_controller_spec.rb
@@ -31,15 +31,6 @@
         expect(json_response[:data][:publicField]).to eq('Field does not require authentication')
       end
     end
-
-    context 'when using the failing route' do
-      it 'raises an invalid resource_name error' do
-        expect { post_request('/api/v1/failing') }.to raise_error(
-          GraphqlDevise::Error,
-          'Invalid resource_name `fail` provided to `graphql_context`. Possible values are: [:user, :admin, :guest, :users_customer, :schema_user].'
-        )
-      end
-    end
   end
 
   describe 'privateField' do
@@ -77,6 +68,15 @@
           )
         end
       end
+
+      context 'when using the failing route' do
+        it 'raises an invalid resource_name error' do
+          expect { post_request('/api/v1/failing') }.to raise_error(
+            GraphqlDevise::Error,
+            'Invalid resource_name `fail` provided to `graphql_context`. Possible values are: [:user, :admin, :guest, :users_customer, :schema_user].'
+          )
+        end
+      end
     end
 
     context 'when using an interpreter schema' do
diff --git a/spec/support/contexts/schema_test.rb b/spec/support/contexts/schema_test.rb
@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 RSpec.shared_context 'with graphql schema test' do
   let(:variables)      { {} }
-  let(:resource_names) { [] }
+  let(:resource_names) { [:user] }
   let(:resource)       { nil }
   let(:controller)     { instance_double(GraphqlDevise::GraphqlController) }
   let(:context) do
