fix: Authorization checks not applied correctly for unions and interf…

…aces (#126) * test: reproduce issue in examples playground * test: add failing unit tests to reproduce issue * fix: implement solution for pre-exec rules * fix: draft solution for post-exec rules * revert: remove example, post-exec draft fix and post-exec tests changes * style: apply standardized formatting * docs: Add changesets
AstrumU · Aug 12, 2024 · adf7272 · adf7272
1 parent 6be6e7d
commit adf7272
Show file tree

Hide file tree

Showing 5 changed files with 328 additions and 95 deletions.
diff --git a/.changeset/calm-eyes-approve.md b/.changeset/calm-eyes-approve.md
@@ -0,0 +1,5 @@
+---
+'@graphql-authz/core': patch
+---
+
+Fix not applied type-specific pre-exec rules when union or interface is used.
diff --git a/__tests__/pre-exec-rules/field.test.ts b/__tests__/pre-exec-rules/field.test.ts
@@ -323,6 +323,23 @@ describe.each(['apollo-plugin', 'envelop-plugin'] as const)(
                 expect(rules.PassingPreExecRule.prototype.execute).toBeCalled();
               });
 
+              it('should handle inline fragments', async () => {
+                await server.executeOperation({
+                  query: `
+                    query getUser {
+                      user {
+                        id
+                        ... on User {
+                          email
+                        }
+                      }
+                    }
+                  `
+                });
+
+                expect(rules.PassingPreExecRule.prototype.execute).toBeCalled();
+              });
+
               it('should handle aliases', async () => {
                 await server.executeOperation({
                   query: `query getUser {

diff --git a/__tests__/pre-exec-rules/object.test.ts b/__tests__/pre-exec-rules/object.test.ts
@@ -185,6 +185,64 @@ describe.each(['apollo-plugin', 'envelop-plugin'] as const)(
                   expect(result?.data?.user).toBeNull();
                 }
               });
+
+              it('rule should be executed for fragment', async () => {
+                const result = formatResponse(
+                  await server.executeOperation({
+                    query: `
+                      query getPost {
+                        post {
+                          id
+                          ...Fragment1
+                        }
+                      }
+                      fragment Fragment1 on Post {
+                        ...Fragment2
+                      }
+                      fragment Fragment2 on Post {
+                        title
+                      }
+                    `
+                  })
+                );
+
+                expect(result?.errors).toHaveLength(1);
+                expect(result?.errors?.[0].extensions?.code).toEqual(
+                  'FORBIDDEN'
+                );
+                try {
+                  expect(result?.data).toBeUndefined();
+                } catch {
+                  expect(result?.data?.post).toBeNull();
+                }
+              });
+
+              it('rule should be executed for inline fragment', async () => {
+                const result = formatResponse(
+                  await server.executeOperation({
+                    query: `
+                      query getPost {
+                        post {
+                          id
+                          ... on Post {
+                            title
+                          }
+                        }
+                      }
+                    `
+                  })
+                );
+
+                expect(result?.errors).toHaveLength(1);
+                expect(result?.errors?.[0].extensions?.code).toEqual(
+                  'FORBIDDEN'
+                );
+                try {
+                  expect(result?.data).toBeUndefined();
+                } catch {
+                  expect(result?.data?.post).toBeNull();
+                }
+              });
             });
           });
         });