Add Validating Directives (#583)

Adding support for directives which are evaluated prior to executing
any resolvers. This allows validation to be performed on the request
and prevent it from executing any significant work by rejecting the
request early.

The most obvious case for this is authorization: based on the requested
fields, we can tell whether the request is valid given the current
user, and reject the entire request. If that were applied at resolution
time, the request would have partially resolved, only to return errors
for the specific fields which are not authorized.

Author: dackroyd

directives/visitor.go

@@ -23,3 +23,8 @@ type Resolver interface {
 type ResolverInterceptor interface {
 	Resolve(ctx context.Context, args interface{}, next Resolver) (output interface{}, err error)
 }
+
+// Validator directive which executes before anything is resolved, allowing the request to be rejected.
+type Validator interface {
+	Validate(ctx context.Context, args interface{}) error
+}

example/directives/authorization/README.md

@@ -80,16 +80,16 @@ $ curl 'http://localhost:8080/query' \
        return "hasRole"
    }
 
-    func (h *HasRoleDirective) Resolve(ctx context.Context, args interface{}, next directives.Resolver) (output interface{}, err error) {
+    func (h *HasRoleDirective) Validate(ctx context.Context, _ interface{}) error {
         u, ok := user.FromContext(ctx)
         if !ok {
-            return nil, fmt.Errorf("user not provided in context")
+            return fmt.Errorf("user not provided in context")
         }
         role := strings.ToLower(h.Role)
         if !u.HasRole(role) {
-            return nil, fmt.Errorf("access denied, %q role required", role)
+            return fmt.Errorf("access denied, %q role required", role)
         }
-        return next.Resolve(ctx, args)
+        return nil
     }
     ```
 

example/directives/authorization/authorization.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/graph-gophers/graphql-go/directives"
 	"github.com/graph-gophers/graphql-go/example/directives/authorization/user"
 )
 
@@ -36,17 +35,17 @@ func (h *HasRoleDirective) ImplementsDirective() string {
 	return "hasRole"
 }
 
-func (h *HasRoleDirective) Resolve(ctx context.Context, args interface{}, next directives.Resolver) (output interface{}, err error) {
+func (h *HasRoleDirective) Validate(ctx context.Context, _ interface{}) error {
 	u, ok := user.FromContext(ctx)
 	if !ok {
-		return nil, fmt.Errorf("user not provided in cotext")
+		return fmt.Errorf("user not provided in cotext")
 	}
 	role := strings.ToLower(h.Role)
 	if !u.HasRole(role) {
-		return nil, fmt.Errorf("access denied, %q role required", role)
+		return fmt.Errorf("access denied, %q role required", role)
 	}
 
-	return next.Resolve(ctx, args)
+	return nil
 }
 
 type Resolver struct{}

example_directives_test.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/graph-gophers/graphql-go"
 	"github.com/graph-gophers/graphql-go/directives"
@@ -22,11 +23,31 @@ func (h *HasRoleDirective) ImplementsDirective() string {
 	return "hasRole"
 }
 
-func (h *HasRoleDirective) Resolve(ctx context.Context, in interface{}, next directives.Resolver) (interface{}, error) {
+func (h *HasRoleDirective) Validate(ctx context.Context, _ interface{}) error {
 	if ctx.Value(RoleKey) != h.Role {
-		return nil, fmt.Errorf("access deinied, role %q required", h.Role)
+		return fmt.Errorf("access denied, role %q required", h.Role)
 	}
-	return next.Resolve(ctx, in)
+	return nil
+}
+
+type UpperDirective struct{}
+
+func (d *UpperDirective) ImplementsDirective() string {
+	return "upper"
+}
+
+func (d *UpperDirective) Resolve(ctx context.Context, args interface{}, next directives.Resolver) (interface{}, error) {
+	out, err := next.Resolve(ctx, args)
+	if err != nil {
+		return out, err
+	}
+
+	s, ok := out.(string)
+	if !ok {
+		return out, nil
+	}
+
+	return strings.ToUpper(s), nil
 }
 
 type authResolver struct{}
@@ -43,13 +64,14 @@ func ExampleDirectives() {
 		}
 
 		directive @hasRole(role: String!) on FIELD_DEFINITION
+		directive @upper on FIELD_DEFINITION
 
 		type Query {
-			greet(name: String!): String! @hasRole(role: "admin")
+			greet(name: String!): String! @hasRole(role: "admin") @upper
 		}
 	`
 	opts := []graphql.SchemaOpt{
-		graphql.Directives(&HasRoleDirective{}),
+		graphql.Directives(&HasRoleDirective{}, &UpperDirective{}),
 		// other options go here
 	}
 	schema := graphql.MustParseSchema(s, &authResolver{}, opts...)
@@ -86,7 +108,13 @@ func ExampleDirectives() {
 	// {
 	//   "errors": [
 	//     {
-	//       "message": "access deinied, role \"admin\" required",
+	//       "message": "access denied, role \"admin\" required",
+	//       "locations": [
+	//         {
+	//           "line": 10,
+	//           "column": 4
+	//         }
+	//       ],
 	//       "path": [
 	//         "greet"
 	//       ]
@@ -97,7 +125,7 @@ func ExampleDirectives() {
 	// Admin user result:
 	// {
 	//   "data": {
-	//     "greet": "Hello, GraphQL!"
+	//     "greet": "HELLO, GRAPHQL!"
 	//   }
 	// }
 }

graphql_test.go

@@ -5,13 +5,15 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"strings"
 	"sync"
 	"testing"
 	"time"
 
 	"github.com/graph-gophers/graphql-go"
 	"github.com/graph-gophers/graphql-go/directives"
 	gqlerrors "github.com/graph-gophers/graphql-go/errors"
+	"github.com/graph-gophers/graphql-go/example/social"
 	"github.com/graph-gophers/graphql-go/example/starwars"
 	"github.com/graph-gophers/graphql-go/gqltesting"
 	"github.com/graph-gophers/graphql-go/introspection"
@@ -477,6 +479,205 @@ func TestCustomDirective(t *testing.T) {
 	})
 }
 
+func TestCustomValidatingDirective(t *testing.T) {
+	t.Parallel()
+
+	gqltesting.RunTests(t, []*gqltesting.Test{
+		{
+			Schema: graphql.MustParseSchema(`
+				directive @hasRole(role: String!) on FIELD_DEFINITION
+		
+				schema {
+					query: Query
+				}
+		
+				type Query {
+					hello: String! @hasRole(role: "ADMIN")
+				}`,
+				&helloResolver{},
+				graphql.Directives(&HasRoleDirective{}),
+			),
+			Context: context.WithValue(context.Background(), RoleKey, "USER"),
+			Query: `
+				{
+					hello
+				}
+			`,
+			ExpectedResult: "null",
+			ExpectedErrors: []*gqlerrors.QueryError{
+				{Message: `access denied, role "ADMIN" required`, Locations: []gqlerrors.Location{{Line: 9, Column: 6}}, Path: []interface{}{"hello"}},
+			},
+		},
+		{
+			Schema: graphql.MustParseSchema(`
+				directive @hasRole(role: String!) on FIELD_DEFINITION
+		
+				schema {
+					query: Query
+				}
+		
+				type Query {
+					hello: String! @hasRole(role: "ADMIN")
+				}`,
+				&helloResolver{},
+				graphql.Directives(&HasRoleDirective{}),
+			),
+			Context: context.WithValue(context.Background(), RoleKey, "ADMIN"),
+			Query: `
+				{
+					hello
+				}
+			`,
+			ExpectedResult: `
+				{
+					"hello": "Hello world!"
+				}
+			`,
+		},
+		{
+			Schema: graphql.MustParseSchema(
+				`directive @hasRole(role: String!) on FIELD_DEFINITION
+
+				`+strings.ReplaceAll(
+					social.Schema,
+					"role: Role!",
+					`role: Role! @hasRole(role: "ADMIN")`,
+				),
+				&social.Resolver{},
+				graphql.Directives(&HasRoleDirective{}),
+				graphql.UseFieldResolvers(),
+			),
+			Context: context.WithValue(context.Background(), RoleKey, "ADMIN"),
+			Query: `
+				query {
+					user(id: "0x01") {
+						role
+						... on User {
+							email
+						}
+						... on Person {
+							name
+						}
+					}
+				}
+			`,
+			ExpectedResult: `
+				{
+					"user": {
+						"role": "ADMIN",
+						"email": "Albus@hogwarts.com",
+						"name": "Albus Dumbledore"
+					}
+				}
+			`,
+		},
+		{
+			Schema: graphql.MustParseSchema(
+				`directive @hasRole(role: String!) on FIELD_DEFINITION
+
+				`+strings.ReplaceAll(
+					starwars.Schema,
+					"hero(episode: Episode = NEWHOPE): Character",
+					`hero(episode: Episode = NEWHOPE): Character @hasRole(role: "REBELLION")`,
+				),
+				&starwars.Resolver{},
+				graphql.Directives(&HasRoleDirective{}),
+			),
+			Context: context.WithValue(context.Background(), RoleKey, "EMPIRE"),
+			Query: `
+				query HeroesOfTheRebellion($episode: Episode!) {
+					hero(episode: $episode) {
+						id name
+						... on Human { starships { id name } }
+						... on Droid { primaryFunction }
+					}
+				}
+			`,
+			Variables:      map[string]interface{}{"episode": "NEWHOPE"},
+			ExpectedResult: "null",
+			ExpectedErrors: []*gqlerrors.QueryError{
+				{Message: `access denied, role "REBELLION" required`, Locations: []gqlerrors.Location{{Line: 10, Column: 3}}, Path: []interface{}{"hero"}},
+			},
+		},
+		{
+			Schema: graphql.MustParseSchema(
+				`directive @hasRole(role: String!) on FIELD_DEFINITION
+
+				`+strings.ReplaceAll(
+					starwars.Schema,
+					"starships: [Starship]",
+					`starships: [Starship] @hasRole(role: "REBELLION")`,
+				),
+				&starwars.Resolver{},
+				graphql.Directives(&HasRoleDirective{}),
+			),
+			Context: context.WithValue(context.Background(), RoleKey, "EMPIRE"),
+			Query: `
+				query HeroesOfTheRebellion($episode: Episode!) {
+					hero(episode: $episode) {
+						id name
+						... on Human { starships { id name } }
+						... on Droid { primaryFunction }
+					}
+				}
+			`,
+			Variables:      map[string]interface{}{"episode": "NEWHOPE"},
+			ExpectedResult: "null",
+			ExpectedErrors: []*gqlerrors.QueryError{
+				{Message: `access denied, role "REBELLION" required`, Locations: []gqlerrors.Location{{Line: 68, Column: 3}}, Path: []interface{}{"hero", "starships"}},
+			},
+		},
+		{
+			Schema: graphql.MustParseSchema(
+				`directive @restrictImperialUnits on FIELD_DEFINITION
+
+				`+strings.ReplaceAll(
+					starwars.Schema,
+					"height(unit: LengthUnit = METER): Float!",
+					`height(unit: LengthUnit = METER): Float! @restrictImperialUnits`,
+				),
+				&starwars.Resolver{},
+				graphql.Directives(&restrictImperialUnitsDirective{}),
+			),
+			Context: context.WithValue(context.Background(), RoleKey, "REBELLION"),
+			Query: `
+				query HeroesOfTheRebellion($episode: Episode!) {
+					hero(episode: $episode) {
+						id name
+						... on Human { height(unit: FOOT) }
+					}
+				}
+			`,
+			Variables:      map[string]interface{}{"episode": "NEWHOPE"},
+			ExpectedResult: "null",
+			ExpectedErrors: []*gqlerrors.QueryError{
+				{Message: `rebels cannot request imperial units`, Locations: []gqlerrors.Location{{Line: 58, Column: 3}}, Path: []interface{}{"hero", "height"}},
+			},
+		},
+	})
+}
+
+type restrictImperialUnitsDirective struct{}
+
+func (d *restrictImperialUnitsDirective) ImplementsDirective() string {
+	return "restrictImperialUnits"
+}
+
+func (d *restrictImperialUnitsDirective) Validate(ctx context.Context, args interface{}) error {
+	if ctx.Value(RoleKey) == "EMPIRE" {
+		return nil
+	}
+
+	v, ok := args.(struct {
+		Unit string
+	})
+	if ok && v.Unit == "FOOT" {
+		return fmt.Errorf("rebels cannot request imperial units")
+	}
+
+	return nil
+}
+
 func TestCustomDirectiveStructFieldResolver(t *testing.T) {
 	t.Parallel()
 

internal/exec/exec.go

@@ -54,6 +54,13 @@ func (r *Request) Execute(ctx context.Context, s *resolvable.Schema, op *ast.Ope
 		default:
 			panic("unknown query operation")
 		}
+
+		if errs := validateSelections(ctx, sels, nil, s); errs != nil {
+			r.Errs = errs
+			out.Write([]byte("null"))
+			return
+		}
+
 		r.execSelections(ctx, sels, nil, s, resolver, &out, op.Type == query.Mutation)
 	}()
 
@@ -64,6 +71,11 @@ func (r *Request) Execute(ctx context.Context, s *resolvable.Schema, op *ast.Ope
 	return out.Bytes(), r.Errs
 }
 
+type fieldToValidate struct {
+	field *selected.SchemaField
+	sels  []selected.Selection
+}
+
 type fieldToExec struct {
 	field    *selected.SchemaField
 	sels     []selected.Selection