fix(aggregate-relations.resolver): use relation's authorizer to resolve auth filter

Author: jtomaszewski

packages/query-graphql/src/resolvers/relations/aggregate-relations.resolver.ts

@@ -1,10 +1,10 @@
-import { ExecutionContext } from '@nestjs/common'
+import { ExecutionContext, Inject, Optional } from '@nestjs/common'
 import { Args, ArgsType, Context, Parent, Resolver } from '@nestjs/graphql'
-import { AggregateQuery, AggregateResponse, Class, Filter, mergeFilter, QueryService } from '@ptc-org/nestjs-query-core'
+import { AggregateQuery, AggregateResponse, Class, mergeFilter, QueryService } from '@ptc-org/nestjs-query-core'
 
-import { OperationGroup } from '../../auth'
+import { Authorizer, getAuthorizerToken, OperationGroup } from '../../auth'
 import { getDTONames } from '../../common'
-import { AggregateQueryParam, RelationAuthorizerFilter, ResolverField } from '../../decorators'
+import { AggregateQueryParam, ResolverField } from '../../decorators'
 import { InjectDataLoaderConfig } from '../../decorators/inject-dataloader-config.decorator'
 import { AuthorizerInterceptor } from '../../interceptors'
 import { AggregateRelationsLoader, DataLoaderFactory } from '../../loader'
@@ -39,6 +39,8 @@ const AggregateRelationMixin =
     const relationName = relation.relationName ?? baseNameLower
     const aggregateRelationLoaderName = `aggregate${baseName}For${dtoName}`
     const aggregateLoader = new AggregateRelationsLoader<DTO, Relation>(relationDTO, relationName)
+    const authorizerKey = Symbol(`authorizerFor${DTOClass.name}`)
+    const relationAuthorizerKey = Symbol(`authorizerFor${relation.dtoName}`)
 
     @ArgsType()
     class RelationQA extends AggregateArgsType(relationDTO) {}
@@ -47,6 +49,10 @@ const AggregateRelationMixin =
 
     @Resolver(() => DTOClass, { isAbstract: true })
     class AggregateMixin extends Base {
+      @Optional() @Inject(getAuthorizerToken(DTOClass)) [authorizerKey]?: Authorizer<Relation>;
+
+      @Optional() @Inject(getAuthorizerToken(relationDTO)) [relationAuthorizerKey]?: Authorizer<Relation>
+
       @ResolverField(
         `${baseNameLower}Aggregate`,
         () => [AR],
@@ -63,11 +69,6 @@ const AggregateRelationMixin =
         @Args() q: RelationQA,
         @AggregateQueryParam() aggregateQuery: AggregateQuery<Relation>,
         @Context() context: ExecutionContext,
-        @RelationAuthorizerFilter(baseNameLower, {
-          operationGroup: OperationGroup.AGGREGATE,
-          many: true
-        })
-        relationFilter?: Filter<Relation>,
         @InjectDataLoaderConfig()
         dataLoaderConfig?: DataLoaderOptions
       ): Promise<AggregateResponse<Relation>> {
@@ -78,10 +79,20 @@ const AggregateRelationMixin =
           () => aggregateLoader.createLoader(this.service),
           dataLoaderConfig
         )
+        const authContext = {
+          operationName: baseNameLower,
+          operationGroup: OperationGroup.AGGREGATE,
+          readonly: true,
+          many: true
+        }
+        const authFilter = relation.auth
+          ? await relation.auth?.authorize(context, authContext)
+          : ((await this[authorizerKey]?.authorizeRelation(baseNameLower, context, authContext)) ??
+            (await this[relationAuthorizerKey]?.authorize(context, authContext)))
 
         return loader.load({
           dto,
-          filter: mergeFilter(qa.filter ?? {}, relationFilter ?? {}),
+          filter: mergeFilter(qa.filter ?? {}, authFilter ?? {}),
           aggregate: aggregateQuery
         })
       }