How to set current user in the context?

[nmabhinandan]

I couldn't figure out how to store currently authenticated user in the context so that I can use it for authorisation for example. And does this library provide any easy way to do authorisation?

[kaqqao]

Due to a bug #12 the current version freaks out when Spring Security is used (unless you manually register the beans which largely defeats the purpose of the starter).
The the new version with the fix is coming today or tomorrow.

With that, you should be able to use Spring Security as if SPQR wasn't there. The methods will be intercepted as expected.

In addition, the new version will allow easy customization of the context. Currently customizing this is needlessly complicated.

If you wish to implement your own authorization mechanism, the easiest way is to place the user in the context and implement a custom Interceptor.
Out-of-the box support for all of this is coming in the new release.

[kaqqao]

The way this will work in version 0.0.3 is:

1. You register a bean of type GlobalContextFactory

2. A method ContextFactory#createGlobalContext(GlobalContextFactoryParams) gets invoked on each request. Currently, GlobalContextFactoryParams contains the GraphQLRequest and the raw HttpServletRequest, enabling easy access to session, cookies, headers etc.

3. Whatever object is returned by createGlobalContext will be used a the context for the current request

The default factory produces a DefaultGlobalContext (same object that was always available in the previous versions) which simply saves a reference to the underlying HttpServletRequest.

[nmabhinandan]

So.. interceptors cannot be used in 0.0.2 because we can't set current user object in the context?

[kaqqao]

SPQR 0.9.9 and Spring Starter 0.0.3 are out, so you have everything in place now.

See the instructions above on injecting custom global context. Use that to store a reference to the current user. E.g.

// A simple POJO to store contextual stuff
public class CustomContext {

    private final HttpServletRequest servletRequest;
    private final User currentUser;

    public CustomContext(HttpServletRequest servletRequest, User currentUser) {
        this.servletRequest = servletRequest;
        this.currentUser = currentUser;
    }

   public HttpServletRequest getServletRequest() {
       return servletRequest;
   }

   public getCurrentUser() {
       return currentUser;
   }
}

// A custom global context factory bean
@Component
public class CustomGlobalContextFactory implements GlobalContextFactory {

    @Override
    public Object createGlobalContext(GlobalContextFactoryParams params) {
        User currentUser = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        return new CustomContext(params.getHttpRequest(), currentUser);
    }
}

Then, you can always access the CustomContext instance using @GraphQLRootContext annotation.

If you wish to make a custom authentication inceptor, see this test illustrating the usage.

Still, if you're using Spring Security, not only that you don't need to do any of this, you also probably shouldn't... With #12 fixed, Spring Security should work as always, with no custom action needed.