Merge pull request #40 from RafaelOFreitas/master

Ignore introspection query to Object Authorization
jungsoft · Jul 11, 2022 · ac0487e · ac0487e
2 parents aa9d4e5 + 2c8e154
commit ac0487e
Show file tree

Hide file tree

Showing 5 changed files with 105 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ The package can be installed by adding `rajska` to your list of dependencies in
 ```elixir
 def deps do
   [
-    {:rajska, "~> 1.3.1"},
+    {:rajska, "~> 1.3.2"},
   ]
 end
 ```

diff --git a/lib/middlewares/object_scope_authorization.ex b/lib/middlewares/object_scope_authorization.ex
@@ -73,7 +73,7 @@ defmodule Rajska.ObjectScopeAuthorization do
 
   # Introspection
   defp result(%{emitter: %{schema_node: %{identifier: identifier}}} = result, _context)
-  when identifier in [:query_type, nil] do
+  when identifier in [:query_type, :__schema, nil] do
     result
   end
 

diff --git a/lib/rajska.ex b/lib/rajska.ex
@@ -16,7 +16,7 @@ defmodule Rajska do
   ```elixir
   def deps do
     [
-      {:rajska, "~> 1.3.1"},
+      {:rajska, "~> 1.3.2"},
     ]
   end
   ```

diff --git a/mix.exs b/mix.exs
@@ -6,7 +6,7 @@ defmodule Rajska.MixProject do
   def project do
     [
       app: :rajska,
-      version: "1.3.1",
+      version: "1.3.2",
       elixir: "~> 1.8",
       start_permanent: Mix.env() == :prod,
       deps: deps(),

diff --git a/test/middlewares/object_scope_authorization_test.exs b/test/middlewares/object_scope_authorization_test.exs
@@ -353,6 +353,12 @@ defmodule Rajska.ObjectScopeAuthorizationTest do
     end
   end
 
+  test "Skips introspection query" do
+    {:ok, result} = run_pipeline(introspection_query(), context(:admin, 2))
+    assert %{data: %{}} = result
+    refute Map.has_key?(result, :errors)
+  end
+
   defp all_query(id) do
     """
     {
@@ -473,6 +479,101 @@ defmodule Rajska.ObjectScopeAuthorizationTest do
     """
   end
 
+  defp introspection_query do
+    """
+    query IntrospectionQuery {
+      __schema {
+        queryType { name }
+        mutationType { name }
+        subscriptionType { name }
+        types {
+          ...FullType
+        }
+        directives {
+          name
+          description
+          locations
+          args {
+            ...InputValue
+          }
+        }
+      }
+    }
+    fragment FullType on __Type {
+      kind
+      name
+      description
+      fields(includeDeprecated: true) {
+        name
+        description
+        args {
+          ...InputValue
+        }
+        type {
+          ...TypeRef
+        }
+        isDeprecated
+        deprecationReason
+      }
+      inputFields {
+        ...InputValue
+      }
+      interfaces {
+        ...TypeRef
+      }
+      enumValues(includeDeprecated: true) {
+        name
+        description
+        isDeprecated
+        deprecationReason
+      }
+      possibleTypes {
+        ...TypeRef
+      }
+    }
+
+    fragment InputValue on __InputValue {
+      name
+      description
+      type { ...TypeRef }
+      defaultValue
+    }
+
+    fragment TypeRef on __Type {
+      kind
+      name
+      ofType {
+        kind
+        name
+        ofType {
+          kind
+          name
+          ofType {
+            kind
+            name
+            ofType {
+              kind
+              name
+              ofType {
+                kind
+                name
+                ofType {
+                  kind
+                  name
+                  ofType {
+                    kind
+                    name
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+    """
+  end
+
   defp context(role, id), do: [context: %{current_user: %{role: role, id: id}}]
 
   defp run_pipeline(document, opts) do