Add authentication to GraphQL controller

cjoudrey · cjoudrey · commit 1383f3a71624 · 2017-02-12T22:21:30.000-05:00
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb
@@ -1,13 +1,32 @@
 class GraphqlController < ApplicationController
+  before_action :authenticate
+
   def execute
     query_string = params[:query].to_s
     variables = ensure_hash(params[:variables])
-    result = ::Graph::Schema.execute(query_string, variables: variables)
+    context = {
+      user: @user
+    }
+
+    result = Graph::Schema.execute(query_string, variables: variables, context: context)
     render json: result
   end
 
   private
 
+  def authenticate
+    @user = authenticate_with_http_basic { |username, password|
+      user = User.where(username: username).first
+
+      return render plain: 'Invalid username', status: :unauthorized unless user
+      return render plain: 'Invalid password', status: :authorized unless user.authenticate(password)
+
+      user
+    }
+
+    @user ||= GuestUser.new
+  end
+
   def ensure_hash(variables)
     if variables.blank?
       {}
diff --git a/app/models/graph/types/query.rb b/app/models/graph/types/query.rb
@@ -46,6 +46,17 @@ module Types
         }
       end
 
+      field :viewer, Graph::Types::User, 'The currently authenticated user (if any)' do
+        resolve ->(_, _, ctx) {
+          case ctx[:user]
+          when ::User
+            ctx[:user]
+          else
+            nil
+          end
+        }
+      end
+
       # Relay
       field :node, GraphQL::Relay::Node.field
       field :nodes, GraphQL::Relay::Node.plural_field
diff --git a/app/models/graph/types/user.rb b/app/models/graph/types/user.rb
@@ -0,0 +1,13 @@
+module Graph
+  module Types
+    User = GraphQL::ObjectType.define do
+      name "User"
+      description "A user that can rate films."
+
+      field :name, !types.String
+      field :username, !types.String
+      field :createdAt, !types.String, "The ISO 8601 date format of the time that this resource was created."
+      field :updatedAt, !types.String, "The ISO 8601 date format of the time that this resource was updated."
+    end
+  end
+end
diff --git a/app/models/guest_user.rb b/app/models/guest_user.rb
@@ -0,0 +1,2 @@
+class GuestUser
+end
diff --git a/test/controllers/graphql_controller_test.rb b/test/controllers/graphql_controller_test.rb
@@ -109,6 +109,50 @@ class GraphQLControllerTest < ActionDispatch::IntegrationTest
     assert_equal expected, JSON.parse(response.body)
   end
 
+  test "#execute allows authentication via basic auth" do
+    query = """
+    {
+      viewer {
+        username
+      }
+    }
+"""
+
+    expected = {
+      "data" => {
+        "viewer" => {
+          "username" => "xuorig"
+        }
+      }
+    }
+
+    post graphql_url, params: { query: query }, headers: {
+      "Authorization" => ActionController::HttpAuthentication::Basic.encode_credentials("xuorig", "averysecurepassword"),
+    }
+
+    assert_equal expected, JSON.parse(response.body)
+  end
+
+  test "#execute authentication is not required" do
+    query = """
+    {
+      viewer {
+        username
+      }
+    }
+"""
+
+    expected = {
+      "data" => {
+        "viewer" => nil
+      }
+    }
+
+    post graphql_url, params: { query: query }
+
+    assert_equal expected, JSON.parse(response.body)
+  end
+
   private
 
   def full_graphql_query
