Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Graphql auth #751

Merged
merged 15 commits into from
Apr 5, 2018
Merged

Graphql auth #751

merged 15 commits into from
Apr 5, 2018

Conversation

kevinhughes27
Copy link
Owner

@kevinhughes27 kevinhughes27 commented Mar 23, 2018
edited
Loading

part of #750

I can test locally that logging in shows additional schema fields and incognito shows less.

Notes - MutationOperation is useless because of differences in how context variables (user and tournament) are used in existing operations. I am going to remove MutationOperation and call operations manually in resolve.

I added basic smoke screen tests here to capture api auth in tests. Testing all the logic via graphql can wait until I remove the operations.

kevinhughes27
kevinhughes27 commented Mar 23, 2018
View reviewed changes
app/graphql/mutation_type.rb Outdated
# admin
field :gameUpdateScore, field: GameUpdateScoreMutation.field do
visibility -> (ctx) { Auth.visible(ctx) }
end
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would love to not have to re-define this for each mutation that requires auth. I have 2 ideas neither of which I fully understand how to implement:

  1. Push this down to the mutation itself and use something like

GraphQL::Relay::Mutation.accepts_definitions ( auth_required: ... )

  1. Somehow have an auth_require do block around all the mutations in this file

@kevinhughes27
Copy link
Owner Author

I'm debating what value the schema filter adds. Its cool to not even expose parts of the schema the user is not authorised for but it comes with a few issues:

  • The actual auth code is never ran when the schema is filtered since a not in the schema error fires first. This makes actual auth more like a backup but its kinda sketchy that it never runs. This also leaves gaps for auth code not being added causing bugs in the future
  • On a related note I can't control the error message so my nice messages about wrong tournament or please signup get trumped by the schema error

@kevinhughes27 kevinhughes27 merged commit 10d0998 into master Apr 5, 2018
@kevinhughes27 kevinhughes27 deleted the graphql-auth branch April 5, 2018 01:04
@kevinhughes27 kevinhughes27 mentioned this pull request Apr 5, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kevinhughes27