Improve the checking for non-existent parameters when evaluating authorization rules

[darrellwarde]

Description

Address the following issue reported on Discord:

Hi, I started to play around with the new @authorization directive using 3.23.0. Our jwt object that is passed to the executed query contains a list of stores where the user is admin.
What we want to achieve is that the admin user is only able to query clients that belong to their stores. The authorization directive looks like this:
@authorization(validate: [{when: [BEFORE], where: {node: {config: {store_IN: "$jwt.storeAdmins"}}}}])
However this will throw an error when a graphql query is executed: Type mismatch: expected List<T> but was Any, Map, Node or Relationship

The issue seems to be that the validatePredicate cypher that is generated is using COALESCE for the store_IN condition: WHERE this0.store IN coalesce($jwt.storeAdmins, $jwtDefault)
$jwtDefault is an empty object so this0.store IN coalesce($jwt.storeAdmins, $jwtDefault) will throw an error when it is used with an _IN filter.

This behavior can be easily checked in neo4j browser as well:

:params {
  jwt: {
   adminStores: ["www.acme.com"]
  },
  jwtDefault: {}
}

This will execute: return "www.acme.com" in coalesce($jwt.adminStores, [])
This will throw error: return "www.acme.com" in coalesce($jwt.adminStores, $jwtDefault)

Do you have any recommendation how to handle this?

Great work btw, I really love the improvements I see so far around the new authorization directive!

Complexity

Complexity: Medium

[changeset-bot]

🦋 Changeset detected

Latest commit: 077edd2

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@neo4j/graphql	Patch
@neo4j/graphql-toolbox	Patch
@neo4j/graphql-ogm	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[neo4j-team-graphql]

Thanks for the Neo4j GraphQL Toolbox updates.

The Neo4j GraphQL Toolbox has now been torn down - reopening this PR will republish it.

[neo4j-team-graphql]

Performance Report

No Performance Changes

Show Full Table

name	dbHits	old dbHits	time (ms)	old time (ms)	maxRows
aggregations.TopLevelAggregate	3403	3403	36	56	1134
aggregations.NestedAggregation	16553	16553	79	108	2174
aggregations.AggregationWithWhere	11979	11979	61	77	2174
aggregations.AggregationWhereWithinNestedRelationships	22116987	22116987	3644	3563	2008534
aggregations.AggregationWhereWithinNestedConnections	22116987	22116987	3172	3180	2008534
aggregations.NestedCountFromMovieToActors	9734	9734	48	52	2174
aggregations.NestedCountFromActorsToMovie	9937	9937	49	70	2174
aggregations.DeeplyNestedCount	13070333	13070331	4937	4909	2008534
batch-create.BatchCreate	4200	4200	229	196	600
batch-create.BatchCreateSmall	77	77	74	114	11
connect.createAndConnect	14424	14424	226	234	3003
connections.Connection	14082	14082	71	94	2174
connections.NestedConnection	45466	45472	130	131	4516
connections.ConnectionWithSort	3284	3284	86	85	1040
connections.ConnectionWithSortAndCypher	3284	3284	210	356	1040
create.SimpleMutation	7	7	64	70	1
cypher-directive.TopLevelCypherDirective	122100	122100	638	691	12241
cypher-directive.TopLevelCypherDirectiveWithColumnName	153617	153617	206	209	12241
delete.SimpleDelete	19401	19401	241	420	1040
delete.NestedDeleteInUpdate	23202	23202	169	221	2040
2925.SingleRelationshipFilter	6468	6468	60	75	1040
2925.NestedSingleRelationshipFilter	22900	22900	126	146	2174
2925.SingleRelationshipRequiredFilter	5201	5201	47	55	1040
2925.NestedSingleRelationshipRequiredFilter	9361	9361	73	70	1040
query.SimpleQuery	3121	3121	24	43	1040
query.SimpleQueryWithRelationship	16162	16162	48	55	2174
query.QueryWhere	9704	9715	41	52	2164
query.SimpleQueryWithNestedWhere	9882	9893	59	65	2164
query.Nested	10096041	10096041	10935	11246	2008534
query.NestedWithFilter	10074401	10074401	10648	10927	2004000
query.OrFilterOnRelationships	42365	42144	192	277	1533
query.OrFilterOnRelationshipsAndNested	35572	35783	259	328	1533
query.QueryWithNestedIn	13255	13773	87	69	1169
query.NestedConnectionWhere	9834	9834	67	73	2174
query.DeeplyNestedConnectionWhere	9949	9839	124	139	2174
query.DeeplyNestedWithRelationshipFilters	19182	19068	145	181	1608
query.NestedWithRelationshipSingleFilters	3881	3881	213	242	1134
query.Fulltext	80	80	38	42	16
query.FulltextWithNestedQuery	587	587	56	63	84
sorting.SortMultipleTypes	3515	3515	79	82	1040
sorting.SortMultipleTypesWithCypherWithCypher	1502	1483	197	314	1040
sorting.SortOnNestedFields	14082	14082	56	81	2174
sorting.SortDeeplyNestedFields	43198	43198	102	113	4516
sorting.SortWithTopLevelCypher	3121	3121	129	238	1040
unions.SimpleUnionQuery	321	321	115	89	35
unions.SimpleUnionQueryWithMissingFields	293	293	70	92	35
unions.NestedUnion	410637	410637	360	331	33033
unions.NestedUnionWithMissingFields	384611	384611	350	431	33033
update.NestedUpdate	16143	16143	119	154	2002

Old Schema Generation: 48.425s
Schema Generation: 50.044s
Old Subgraph Schema Generation: 58.739s
Subgraph Schema Generation: 1:03.243 (m:ss.mmm)

[a-alle]

Looks good