Auth not working for InputObjectGraphType<>

[okarlsson]

I'm having some issues with auth between input and output types. With the following types I only got an error if I tried to use the name field in a query, but not in my mutation.

I'm using GraphQL.Authorization 2.0.27 and it seems like this should have been resolved in #17 ?

public class UserType : ObjectGraphType<User>, IGraphQLType
{
	public UserType()
	{
                Name = "User";
		Field(c => c.Id, type: typeof(IdGraphType)).Description("The id of the user");
	        Field(c => c.Name).Description("The name of the user").AuthorizeWith(AuthPolicies.SuperAdminPolicy.Name);
        }
}

public class UserInputType : InputObjectGraphType<User>, IGraphQLType
	{
		public UserInputType()
		{
			Name = "User";
			Field(c => c.Id, type: typeof(IdGraphType)).Description("The id of the user");
			Field(c => c.Name).Description("The name of the user").AuthorizeWith(AuthPolicies.SuperAdminPolicy.Name);
		}
	}

[joemcbride]

Indeed that should have been working with that PR (though I failed to ask for tests to verify). Can you provide a failing test to demonstrate the issue?

[chris-nissen]

I'm also having this issue. I tried creating a test to prove it, without success. I can report, though, that at least in my setup, the _.Match<ObjectField> handler in AuthorizationValidationRule is never being hit, if that sheds any light.

[chris-nissen]

From stepping through local code, I'm also seeing that an ObjectField for the field I have the AuthorizeWith on is not created until during DocumentExecuter.BuildExecutionContext which happens after the document has been validated, so I'm not seeing how the ObjectField matcher will work here.

To be clear, the field I want to authorize on is on one of the variable values. @okarlsson, @cotzo, is that also what you are doing?

[okarlsson]

I tried fork this repo and replicate the issue with some unit tests, but everything seemed to work there.

Currently I'm using my own implementations of IValidationRule so I dont have this problem in my project any longer.

Have you found anything else regarding this @chris-nissen or should we close the issue for now?

[chris-nissen]

No, I haven't found anything more. I worked around this by adding a custom requirement that implements IAuthorizationRequirement, so I'm OK.

But neither do I necessarily think this should be closed. There's definitely an issue here. I know that @joemcbride has been busy with his job, so maybe he'll be able to chime in when he has more time.

[bogdancice]

Hi guys,

I encountered this problem also. It seems that it partially works.

1. It works when you write all the input data in the query/mutation.
2. It doesn't work when you put the input data in Variables.

• Example:

InputObjectGraphType class:

public class UserFilterType : InputObjectGraphType<UserFilter>
{
        public UserFilterType ()
        {
            Field(x => x.UserRole, true).AuthorizeWith("SuperAdmin");
        }
}

Works in case 1:

• Operation:
  query { user{ search( filtering:{ UserRole: Admin } ){ totalCount items{ email id } } } }

Doesn't works in case 2:

• Operation:
  query search( $filtering: UserFilterType!) { userProfiles { search( filtering: $filtering ) { items { id email } totalCount } } }

• Variable:
  {"filtering":{"UserRole": "ADMIN"}}

From the debugging I've made I concluded that:

• in the first case the Graphql library creates an instance of type ObjectField for my input object named Filtering (the pull request added support for argument fields #17 fixed authorization only for this type of fields)
• in the second case the GraphQL Library creates an instance of type VariableReference for my input object named Filtering

[furier]

@okarlsson could you provide the implementation for IValidationRule that works for arguments?

I am also having the issue that authorization is not being checked for InputObjectGraphType.

[okarlsson]

@okarlsson could you provide the implementation for IValidationRule that works for arguments?

I am also having the issue that authorization is not being checked for InputObjectGraphType.

@furier - I posted a comment in a different issue that gives an example for the implementation. You can find it here: #6 (comment)

I also recommend you to check out the Authorization chapter in the docs that my solution is heavily based on: https://graphql-dotnet.github.io/docs/getting-started/authorization.

[furier]

@okarlsson thanks, but seems I have a different problem then. the _.Match<Field>(...) never triggers for the input types or its sub fields, so I am unable to do any authentication.

However _.Match<Argument>(...) hits, and I am able to do authentication for the whole argument type, but if the argument type is complex and contains different authentication rules for its sub fields they are not checked, which is the last missing part I need.

[bogdancice]

I've added a fix for the issue I've explained in the comments above. @joemcbride please take a look and let me know what you think. Thanks

[furier]

@bogdancice seems to work for the complex type it self but not it's fields, at least for me...

variableData does not contain the keys of the fields that I passed in

and therefore no authorization checks are performed on the employeeId field I passed in.

[bogdancice]

@furier good point, you are right. I fixed the issue and added unit tests

[bogdancice]

@joemcbride when you have some spare time can you please check the PR and let me know what you think? We need Variables Validation in our projects

[sungam3r]

Fixed in #179. Will be released in v4.1.