Guard selected fields not working if containing nested @can directives. #1729
Description
Describe the bug
When applying the @guard directive to a Mutation type or extend type, and one of the contained select fields implements a @can directive, the @guard is ignored, and the @can is taken care of first. This happens with the AttemptAuthenticate middleware enabled, and the user is not authenticated.
Expected behavior/Solution
I would expect that if I wrap a series of mutations using the @guard as stated in the documentation at https://lighthouse-php.com/5.2/security/authentication.html#guard-selected-fields and attempt to execute any of the mutations within, while unauthenticated, that the @guard will return Unauthenticated.
If I apply the @guard to the actual mutation and not on the mutation type or extend type, it works. The only problem is now you have to apply the @guard to each mutation and not group mutations to require authentication.
Currently the desired approach, as follows, returns a This action is unauthorized. which is not expected:
type Mutation @guard {
myMutation(title: String!): MyModel @can(ability: "update", find: "id")
}
However, if I add the @guard to the end of the actual mutation (undesired) and before (it has to be before) the @can, it returns the correct response of Unauthenticated. If you put the @guard after the @can, you will also get the undesired This action is unauthorized. message.
type Mutation {
myMutation(title: String!): MyModel @guard @can(ability: "update", find: "id")
}
Lighthouse Version
5.2