Add after auth in connect operations

Author: angrykoala

packages/graphql/src/translate/queryAST/ast/operations/ConnectOperation.ts

@@ -188,13 +188,6 @@ export class ConnectOperation extends MutationOperation {
         });
 
         const authClausesBefore = this.getAuthorizationClauses(nestedContext);
-        const sourceAuthClausesBefore = this.getSourceAuthorizationClausesBefore(context);
-        const bothAuthClausesBefore: Cypher.Clause[] = [];
-        if (authClausesBefore.length === 0 && sourceAuthClausesBefore.length > 0) {
-            bothAuthClausesBefore.push(new Cypher.With("*"), ...sourceAuthClausesBefore);
-        } else {
-            bothAuthClausesBefore.push(Cypher.utils.concat(...authClausesBefore, ...sourceAuthClausesBefore));
-        }
 
         const authClausesAfter = this.getAuthorizationClausesAfter(nestedContext);
         const sourceAuthClausesAfter = this.getSourceAuthorizationClausesAfter(context);
@@ -205,11 +198,8 @@ export class ConnectOperation extends MutationOperation {
         }
 
         const clauses = Cypher.utils.concat(
-            // required in: packages/graphql/tests/integration/directives/authorization/roles.int.test.ts
-            // without when: AFTER adjustment failing in: packages/graphql/tests/integration/issues/3929.int.test.ts
-
             matchClause,
-            ...bothAuthClausesBefore, // THESE ARE "BEFORE" AUTH
+            ...authClausesBefore,
             ...mutationSubqueries,
             connectClause,
             ...authClauses
@@ -269,21 +259,6 @@ export class ConnectOperation extends MutationOperation {
         return [];
     }
 
-    private getSourceAuthorizationClausesBefore(context: QueryASTContext): Cypher.Clause[] {
-        const validationsAfter: Cypher.VoidProcedure[] = [];
-        for (const authFilter of this.sourceAuthFilters) {
-            const validationAfter = authFilter.getValidation(context, "BEFORE");
-            if (validationAfter) {
-                validationsAfter.push(validationAfter);
-            }
-        }
-
-        if (validationsAfter.length > 0) {
-            return [new Cypher.With("*"), ...validationsAfter];
-        }
-        return [];
-    }
-
     private transpileAuthClauses(context: QueryASTContext): {
         selections: (Cypher.With | Cypher.Match)[];
         subqueries: Cypher.Clause[];

packages/graphql/src/translate/queryAST/factory/Operations/ConnectFactory.ts

@@ -34,9 +34,9 @@ import { NodeSelectionPattern } from "../../ast/selection/SelectionPattern/NodeS
 import type { CallbackBucket } from "../../utils/callback-bucket";
 import { isConcreteEntity } from "../../utils/is-concrete-entity";
 import { isInterfaceEntity } from "../../utils/is-interface-entity";
+import { isUnionEntity } from "../../utils/is-union-entity";
 import { raiseAttributeAmbiguity } from "../../utils/raise-attribute-ambiguity";
 import type { QueryASTFactory } from "../QueryASTFactory";
-import { isUnionEntity } from "../../utils/is-union-entity";
 
 export class ConnectFactory {
     private queryASTFactory: QueryASTFactory;
@@ -142,14 +142,13 @@ export class ConnectFactory {
             context,
             operation: connect,
         });
-        // this wasn't in the original code - but should it be?
-        // if (isConcreteEntity(relationship.source)) {
-        //     this.addSourceEntityAuthorization({
-        //         entity: relationship.source,
-        //         context,
-        //         operation: connect,
-        //     });
-        // }
+        if (isConcreteEntity(relationship.source)) {
+            this.addSourceEntityAuthorization({
+                entity: relationship.source,
+                context,
+                operation: connect,
+            });
+        }
 
         asArray(input).forEach((inputItem) => {
             const { whereArg, connectArg } = this.parseConnectArgs(inputItem);

packages/graphql/tests/integration/directives/authorization/bind.int.test.ts

@@ -636,6 +636,7 @@ describe("auth/bind", () => {
 
             await testHelper.executeCypher(`
                     CREATE (:${Post} {id: "${postId}"})
+                    CREATE (:${User} {id: "not bound"})
                 `);
 
             const token = createBearerToken(secret, { sub: userId });