graphql-dotnet
diff --git a/‎samples/Samples.Server/CustomErrorInfoProvider.cs
Lines changed: 9 additions & 4 deletions b/‎samples/Samples.Server/CustomErrorInfoProvider.cs
Lines changed: 9 additions & 4 deletions
diff --git a/‎samples/Samples.Server/Startup.cs
Lines changed: 2 additions & 0 deletions b/‎samples/Samples.Server/Startup.cs
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Authorization.AspNetCore/AuthorizationError.cs
Lines changed: 5 additions & 113 deletions b/‎src/Authorization.AspNetCore/AuthorizationError.cs
Lines changed: 5 additions & 113 deletions
diff --git a/‎src/Authorization.AspNetCore/AuthorizationValidationRule.cs
Lines changed: 18 additions & 9 deletions b/‎src/Authorization.AspNetCore/AuthorizationValidationRule.cs
Lines changed: 18 additions & 9 deletions
diff --git a/‎src/Authorization.AspNetCore/DefaultAuthorizationErrorMessageBuilder.cs
Lines changed: 114 additions & 0 deletions b/‎src/Authorization.AspNetCore/DefaultAuthorizationErrorMessageBuilder.cs
Lines changed: 114 additions & 0 deletions
@@ -13,8 +13,13 @@ namespace GraphQL.Samples.Server
     /// </summary>
     public class CustomErrorInfoProvider : DefaultErrorInfoProvider
     {
-        public CustomErrorInfoProvider(IOptions<ErrorInfoProviderOptions> options) : base(options)
-        { }
+        private readonly IAuthorizationErrorMessageBuilder _messageBuilder;
+
+        public CustomErrorInfoProvider(IOptions<ErrorInfoProviderOptions> options, IAuthorizationErrorMessageBuilder messageBuilder)
+            : base(options)
+        {
+            _messageBuilder = messageBuilder;
+        }
 
         public override ErrorInfo GetInfo(ExecutionError executionError)
         {
@@ -30,7 +35,7 @@ public override ErrorInfo GetInfo(ExecutionError executionError)
         private string GetAuthorizationErrorMessage(AuthorizationError error)
         {
             var errorMessage = new StringBuilder();
-            AuthorizationError.AppendFailureHeader(errorMessage, error.OperationType);
+            _messageBuilder.AppendFailureHeader(errorMessage, error.OperationType);
 
             foreach (var failedRequirement in error.AuthorizationResult.Failure.FailedRequirements)
             {
@@ -43,7 +48,7 @@ private string GetAuthorizationErrorMessage(AuthorizationError error)
                         errorMessage.Append(" years old.");
                         break;
                     default:
-                        AuthorizationError.AppendFailureLine(errorMessage, failedRequirement);
+                        _messageBuilder.AppendFailureLine(errorMessage, failedRequirement);
                         break;
                 }
             }
 
@@ -4,6 +4,7 @@
 using System.Threading.Tasks;
 using GraphQL.Samples.Schemas.Chat;
 using GraphQL.Server;
+using GraphQL.Server.Authorization.AspNetCore;
 using GraphQL.Server.Ui.Altair;
 using GraphQL.Server.Ui.GraphiQL;
 using GraphQL.Server.Ui.Playground;
@@ -33,6 +34,7 @@ public Startup(IConfiguration configuration, IWebHostEnvironment environment)
         public void ConfigureServices(IServiceCollection services)
         {
             services.AddSingleton<IChat, Chat>();
+            services.AddTransient<IAuthorizationErrorMessageBuilder, DefaultAuthorizationErrorMessageBuilder>(); // required by CustomErrorInfoProvider
 
             MicrosoftDI.GraphQLBuilderExtensions.AddGraphQL(services)
                 .AddServer(true)
 
@@ -1,10 +1,9 @@
+#nullable enable
+
 using System;
-using System.Linq;
-using System.Text;
 using GraphQL.Language.AST;
 using GraphQL.Validation;
 using Microsoft.AspNetCore.Authorization;
-using Microsoft.AspNetCore.Authorization.Infrastructure;
 
 namespace GraphQL.Server.Authorization.AspNetCore
 {
@@ -13,23 +12,15 @@ namespace GraphQL.Server.Authorization.AspNetCore
     /// </summary>
     public class AuthorizationError : ValidationError
     {
-        /// <summary>
-        /// Initializes a new instance of the <see cref="AuthorizationError"/> class for a specified authorization result.
-        /// </summary>
-        public AuthorizationError(INode node, ValidationContext context, OperationType? operationType, AuthorizationResult result)
-            : this(node, context, GenerateMessage(operationType, result), result)
-        {
-            OperationType = operationType;
-        }
-
         /// <summary>
         /// Initializes a new instance of the <see cref="AuthorizationError"/> class for a specified authorization result with a specific error message.
         /// </summary>
-        public AuthorizationError(INode node, ValidationContext context, string message, AuthorizationResult result)
-            : base(context.Document.OriginalQuery, "6.1.1", message, node == null ? Array.Empty<INode>() : new INode[] { node })
+        public AuthorizationError(INode? node, ValidationContext context, string message, AuthorizationResult result, OperationType? operationType = null)
+            : base(context.Document.OriginalQuery!, "6.1.1", message, node == null ? Array.Empty<INode>() : new INode[] { node })
         {
             Code = "authorization";
             AuthorizationResult = result;
+            OperationType = operationType;
         }
 
         /// <summary>
@@ -42,105 +33,6 @@ public AuthorizationError(INode node, ValidationContext context, string message,
         /// </summary>
         public OperationType? OperationType { get; }
 
-        private static string GenerateMessage(OperationType? operationType, AuthorizationResult result)
-        {
-            var error = new StringBuilder();
-            AppendFailureHeader(error, operationType);
-
-            foreach (var failure in result.Failure.FailedRequirements)
-            {
-                AppendFailureLine(error, failure);
-            }
-
-            return error.ToString();
-        }
-
-        private static string GetOperationType(OperationType? operationType)
-        {
-            return operationType switch
-            {
-                Language.AST.OperationType.Query => "query",
-                Language.AST.OperationType.Mutation => "mutation",
-                Language.AST.OperationType.Subscription => "subscription",
-                _ => "operation",
-            };
-        }
-
-        /// <summary>
-        /// Appends the error message header for this <see cref="AuthorizationError"/> to the provided <see cref="StringBuilder"/>.
-        /// </summary>
-        /// <param name="error">The error message <see cref="StringBuilder"/>.</param>
-        /// <param name="operationType">The GraphQL operation type.</param>
-        public static void AppendFailureHeader(StringBuilder error, OperationType? operationType)
-        {
-            error.Append("You are not authorized to run this ")
-                .Append(GetOperationType(operationType))
-                .Append('.');
-        }
 
-        /// <summary>
-        /// Appends a description of the failed <paramref name="authorizationRequirement"/> to the supplied <see cref="StringBuilder"/>.
-        /// </summary>
-        /// <param name="error">The <see cref="StringBuilder"/> which is used to compose the error message.</param>
-        /// <param name="authorizationRequirement">The failed <see cref="IAuthorizationRequirement"/>.</param>
-        public static void AppendFailureLine(StringBuilder error, IAuthorizationRequirement authorizationRequirement)
-        {
-            error.AppendLine();
-
-            switch (authorizationRequirement)
-            {
-                case ClaimsAuthorizationRequirement claimsAuthorizationRequirement:
-                    error.Append("Required claim '");
-                    error.Append(claimsAuthorizationRequirement.ClaimType);
-                    if (claimsAuthorizationRequirement.AllowedValues == null || !claimsAuthorizationRequirement.AllowedValues.Any())
-                    {
-                        error.Append("' is not present.");
-                    }
-                    else
-                    {
-                        error.Append("' with any value of '");
-                        error.Append(string.Join(", ", claimsAuthorizationRequirement.AllowedValues));
-                        error.Append("' is not present.");
-                    }
-                    break;
-
-                case DenyAnonymousAuthorizationRequirement _:
-                    error.Append("The current user must be authenticated.");
-                    break;
-
-                case NameAuthorizationRequirement nameAuthorizationRequirement:
-                    error.Append("The current user name must match the name '");
-                    error.Append(nameAuthorizationRequirement.RequiredName);
-                    error.Append("'.");
-                    break;
-
-                case OperationAuthorizationRequirement operationAuthorizationRequirement:
-                    error.Append("Required operation '");
-                    error.Append(operationAuthorizationRequirement.Name);
-                    error.Append("' was not present.");
-                    break;
-
-                case RolesAuthorizationRequirement rolesAuthorizationRequirement:
-                    if (rolesAuthorizationRequirement.AllowedRoles == null || !rolesAuthorizationRequirement.AllowedRoles.Any())
-                    {
-                        // This should never happen.
-                        error.Append("Required roles are not present.");
-                    }
-                    else
-                    {
-                        error.Append("Required roles '");
-                        error.Append(string.Join(", ", rolesAuthorizationRequirement.AllowedRoles));
-                        error.Append("' are not present.");
-                    }
-                    break;
-
-                case AssertionRequirement _:
-                default:
-                    error.Append("Requirement '");
-                    error.Append(authorizationRequirement.GetType().Name);
-                    error.Append("' was not satisfied.");
-                    break;
-            }
-        }
     }
 }
@@ -1,3 +1,5 @@
+#nullable enable
+
 using System.Collections.Generic;
 using System.Linq;
 using System.Security.Claims;
@@ -17,19 +19,25 @@ public class AuthorizationValidationRule : IValidationRule
     {
         private readonly IAuthorizationService _authorizationService;
         private readonly IClaimsPrincipalAccessor _claimsPrincipalAccessor;
+        private readonly IAuthorizationErrorMessageBuilder _messageBuilder;
 
         /// <summary>
         /// Creates an instance of <see cref="AuthorizationValidationRule"/>.
         /// </summary>
         /// <param name="authorizationService"> ASP.NET Core <see cref="IAuthorizationService"/> to authorize against. </param>
         /// <param name="claimsPrincipalAccessor"> The <see cref="IClaimsPrincipalAccessor"/> which provides the <see cref="ClaimsPrincipal"/> for authorization. </param>
-        public AuthorizationValidationRule(IAuthorizationService authorizationService, IClaimsPrincipalAccessor claimsPrincipalAccessor)
+        /// <param name="messageBuilder">The <see cref="IAuthorizationErrorMessageBuilder"/> which is used to generate the message for an <see cref="AuthorizationError"/>. </param>
+        public AuthorizationValidationRule(
+            IAuthorizationService authorizationService,
+            IClaimsPrincipalAccessor claimsPrincipalAccessor,
+            IAuthorizationErrorMessageBuilder messageBuilder)
         {
             _authorizationService = authorizationService;
             _claimsPrincipalAccessor = claimsPrincipalAccessor;
+            _messageBuilder = messageBuilder;
         }
 
-        private bool ShouldBeSkipped(Operation actualOperation, ValidationContext context)
+        private bool ShouldBeSkipped(Operation? actualOperation, ValidationContext context)
         {
             if (context.Document.Operations.Count <= 1)
             {
@@ -58,10 +66,10 @@ private bool ShouldBeSkipped(Operation actualOperation, ValidationContext contex
             } while (true);
         }
 
-        private bool FragmentBelongsToOperation(FragmentDefinition fragment, Operation operation)
+        private bool FragmentBelongsToOperation(FragmentDefinition fragment, Operation? operation)
         {
             bool belongs = false;
-            void Visit(INode node, int _)
+            void Visit(INode? node, int _)
             {
                 if (belongs)
                 {
@@ -76,7 +84,7 @@ void Visit(INode node, int _)
                 }
             }
 
-            operation.Visit(Visit, 0);
+            operation?.Visit(Visit, 0);
 
             return belongs;
         }
@@ -141,7 +149,7 @@ void Visit(INode node, int _)
                     // validation rule should check that but here we should just ignore that
                     // "unknown" field.
                     if (context.Variables != null &&
-                        context.Variables.TryGetValue(variableRef.Name, out object input) &&
+                        context.Variables.TryGetValue(variableRef.Name, out object? input) &&
                         input is Dictionary<string, object> fieldsValues)
                     {
                         foreach (var field in variableType.Fields)
@@ -156,7 +164,7 @@ void Visit(INode node, int _)
             );
         }
 
-        private async Task AuthorizeAsync(INode node, IProvideMetadata provider, ValidationContext context, OperationType? operationType)
+        private async Task AuthorizeAsync(INode? node, IProvideMetadata? provider, ValidationContext context, OperationType? operationType)
         {
             var policyNames = provider?.GetPolicies();
 
@@ -190,9 +198,10 @@ private async Task AuthorizeAsync(INode node, IProvideMetadata provider, Validat
         /// <summary>
         /// Adds an authorization failure error to the document response
         /// </summary>
-        protected virtual void AddValidationError(INode node, ValidationContext context, OperationType? operationType, AuthorizationResult result)
+        protected virtual void AddValidationError(INode? node, ValidationContext context, OperationType? operationType, AuthorizationResult result)
         {
-            context.ReportError(new AuthorizationError(node, context, operationType, result));
+            string message = _messageBuilder.GenerateMessage(operationType, result);
+            context.ReportError(new AuthorizationError(node, context, message, result, operationType));
         }
     }
 }
@@ -0,0 +1,114 @@
+#nullable enable
+
+using System.Linq;
+using System.Text;
+using GraphQL.Language.AST;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace GraphQL.Server.Authorization.AspNetCore
+{
+    public class DefaultAuthorizationErrorMessageBuilder : IAuthorizationErrorMessageBuilder
+    {
+        /// <inheritdoc />
+        public virtual string GenerateMessage(OperationType? operationType, AuthorizationResult result)
+        {
+            if (result.Succeeded)
+                return "Success!";
+
+            var error = new StringBuilder();
+            AppendFailureHeader(error, operationType);
+
+            if (result.Failure != null)
+            {
+                foreach (var requirement in result.Failure.FailedRequirements)
+                {
+                    AppendFailureLine(error, requirement);
+                }
+            }
+
+            return error.ToString();
+        }
+
+        private string GetOperationType(OperationType? operationType)
+        {
+            return operationType switch
+            {
+                OperationType.Query => "query",
+                OperationType.Mutation => "mutation",
+                OperationType.Subscription => "subscription",
+                _ => "operation",
+            };
+        }
+
+        /// <inheritdoc />
+        public virtual void AppendFailureHeader(StringBuilder error, OperationType? operationType)
+        {
+            error
+                .Append("You are not authorized to run this ")
+                .Append(GetOperationType(operationType))
+                .Append('.');
+        }
+
+        /// <inheritdoc />
+        public virtual void AppendFailureLine(StringBuilder error, IAuthorizationRequirement authorizationRequirement)
+        {
+            error.AppendLine();
+
+            switch (authorizationRequirement)
+            {
+                case ClaimsAuthorizationRequirement claimsAuthorizationRequirement:
+                    error.Append("Required claim '");
+                    error.Append(claimsAuthorizationRequirement.ClaimType);
+                    if (claimsAuthorizationRequirement.AllowedValues == null || !claimsAuthorizationRequirement.AllowedValues.Any())
+                    {
+                        error.Append("' is not present.");
+                    }
+                    else
+                    {
+                        error.Append("' with any value of '");
+                        error.Append(string.Join(", ", claimsAuthorizationRequirement.AllowedValues));
+                        error.Append("' is not present.");
+                    }
+                    break;
+
+                case DenyAnonymousAuthorizationRequirement _:
+                    error.Append("The current user must be authenticated.");
+                    break;
+
+                case NameAuthorizationRequirement nameAuthorizationRequirement:
+                    error.Append("The current user name must match the name '");
+                    error.Append(nameAuthorizationRequirement.RequiredName);
+                    error.Append("'.");
+                    break;
+
+                case OperationAuthorizationRequirement operationAuthorizationRequirement:
+                    error.Append("Required operation '");
+                    error.Append(operationAuthorizationRequirement.Name);
+                    error.Append("' was not present.");
+                    break;
+
+                case RolesAuthorizationRequirement rolesAuthorizationRequirement:
+                    if (rolesAuthorizationRequirement.AllowedRoles == null || !rolesAuthorizationRequirement.AllowedRoles.Any())
+                    {
+                        // This should never happen.
+                        error.Append("Required roles are not present.");
+                    }
+                    else
+                    {
+                        error.Append("Required roles '");
+                        error.Append(string.Join(", ", rolesAuthorizationRequirement.AllowedRoles));
+                        error.Append("' are not present.");
+                    }
+                    break;
+
+                case AssertionRequirement _:
+                default:
+                    error.Append("Requirement '");
+                    error.Append(authorizationRequirement.GetType().Name);
+                    error.Append("' was not satisfied.");
+                    break;
+            }
+        }
+    }
+}
Original file line number	Diff line number	Diff line change
`@@ -13,8 +13,13 @@ namespace GraphQL.Samples.Server`
`13`	`13`	`/// </summary>`
`14`	`14`	`public class CustomErrorInfoProvider : DefaultErrorInfoProvider`
`15`	`15`	`{`
`16`		`- public CustomErrorInfoProvider(IOptions<ErrorInfoProviderOptions> options) : base(options)`
`17`		`- { }`
	`16`	`+ private readonly IAuthorizationErrorMessageBuilder _messageBuilder;`
	`17`	`+`
	`18`	`+ public CustomErrorInfoProvider(IOptions<ErrorInfoProviderOptions> options, IAuthorizationErrorMessageBuilder messageBuilder)`
	`19`	`+ : base(options)`
	`20`	`+ {`
	`21`	`+ _messageBuilder = messageBuilder;`
	`22`	`+ }`
`18`	`23`
`19`	`24`	`public override ErrorInfo GetInfo(ExecutionError executionError)`
`20`	`25`	`{`
`@@ -30,7 +35,7 @@ public override ErrorInfo GetInfo(ExecutionError executionError)`
`30`	`35`	`private string GetAuthorizationErrorMessage(AuthorizationError error)`
`31`	`36`	`{`
`32`	`37`	`var errorMessage = new StringBuilder();`
`33`		`- AuthorizationError.AppendFailureHeader(errorMessage, error.OperationType);`
	`38`	`+ _messageBuilder.AppendFailureHeader(errorMessage, error.OperationType);`
`34`	`39`
`35`	`40`	`foreach (var failedRequirement in error.AuthorizationResult.Failure.FailedRequirements)`
`36`	`41`	`{`
`@@ -43,7 +48,7 @@ private string GetAuthorizationErrorMessage(AuthorizationError error)`
`43`	`48`	`errorMessage.Append(" years old.");`
`44`	`49`	`break;`
`45`	`50`	`default:`
`46`		`- AuthorizationError.AppendFailureLine(errorMessage, failedRequirement);`
	`51`	`+ _messageBuilder.AppendFailureLine(errorMessage, failedRequirement);`
`47`	`52`	`break;`
`48`	`53`	`}`
`49`	`54`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+#nullable enable`
	`2`	`+`
`1`	`3`	`using System.Collections.Generic;`
`2`	`4`	`using System.Linq;`
`3`	`5`	`using System.Security.Claims;`
`@@ -17,19 +19,25 @@ public class AuthorizationValidationRule : IValidationRule`
`17`	`19`	`{`
`18`	`20`	`private readonly IAuthorizationService _authorizationService;`
`19`	`21`	`private readonly IClaimsPrincipalAccessor _claimsPrincipalAccessor;`
	`22`	`+ private readonly IAuthorizationErrorMessageBuilder _messageBuilder;`
`20`	`23`
`21`	`24`	`/// <summary>`
`22`	`25`	`/// Creates an instance of <see cref="AuthorizationValidationRule"/>.`
`23`	`26`	`/// </summary>`
`24`	`27`	`/// <param name="authorizationService"> ASP.NET Core <see cref="IAuthorizationService"/> to authorize against. </param>`
`25`	`28`	`/// <param name="claimsPrincipalAccessor"> The <see cref="IClaimsPrincipalAccessor"/> which provides the <see cref="ClaimsPrincipal"/> for authorization. </param>`
`26`		`- public AuthorizationValidationRule(IAuthorizationService authorizationService, IClaimsPrincipalAccessor claimsPrincipalAccessor)`
	`29`	`+ /// <param name="messageBuilder">The <see cref="IAuthorizationErrorMessageBuilder"/> which is used to generate the message for an <see cref="AuthorizationError"/>. </param>`
	`30`	`+ public AuthorizationValidationRule(`
	`31`	`+ IAuthorizationService authorizationService,`
	`32`	`+ IClaimsPrincipalAccessor claimsPrincipalAccessor,`
	`33`	`+ IAuthorizationErrorMessageBuilder messageBuilder)`
`27`	`34`	`{`
`28`	`35`	`_authorizationService = authorizationService;`
`29`	`36`	`_claimsPrincipalAccessor = claimsPrincipalAccessor;`
	`37`	`+ _messageBuilder = messageBuilder;`
`30`	`38`	`}`
`31`	`39`
`32`		`- private bool ShouldBeSkipped(Operation actualOperation, ValidationContext context)`
	`40`	`+ private bool ShouldBeSkipped(Operation? actualOperation, ValidationContext context)`
`33`	`41`	`{`
`34`	`42`	`if (context.Document.Operations.Count <= 1)`
`35`	`43`	`{`
`@@ -58,10 +66,10 @@ private bool ShouldBeSkipped(Operation actualOperation, ValidationContext contex`
`58`	`66`	`} while (true);`
`59`	`67`	`}`
`60`	`68`
`61`		`- private bool FragmentBelongsToOperation(FragmentDefinition fragment, Operation operation)`
	`69`	`+ private bool FragmentBelongsToOperation(FragmentDefinition fragment, Operation? operation)`
`62`	`70`	`{`
`63`	`71`	`bool belongs = false;`
`64`		`- void Visit(INode node, int _)`
	`72`	`+ void Visit(INode? node, int _)`
`65`	`73`	`{`
`66`	`74`	`if (belongs)`
`67`	`75`	`{`
`@@ -76,7 +84,7 @@ void Visit(INode node, int _)`
`76`	`84`	`}`
`77`	`85`	`}`
`78`	`86`
`79`		`- operation.Visit(Visit, 0);`
	`87`	`+ operation?.Visit(Visit, 0);`
`80`	`88`
`81`	`89`	`return belongs;`
`82`	`90`	`}`
`@@ -141,7 +149,7 @@ void Visit(INode node, int _)`
`141`	`149`	`// validation rule should check that but here we should just ignore that`
`142`	`150`	`// "unknown" field.`
`143`	`151`	`if (context.Variables != null &&`
`144`		`- context.Variables.TryGetValue(variableRef.Name, out object input) &&`
	`152`	`+ context.Variables.TryGetValue(variableRef.Name, out object? input) &&`
`145`	`153`	`input is Dictionary<string, object> fieldsValues)`
`146`	`154`	`{`
`147`	`155`	`foreach (var field in variableType.Fields)`
`@@ -156,7 +164,7 @@ void Visit(INode node, int _)`
`156`	`164`	`);`
`157`	`165`	`}`
`158`	`166`
`159`		`- private async Task AuthorizeAsync(INode node, IProvideMetadata provider, ValidationContext context, OperationType? operationType)`
	`167`	`+ private async Task AuthorizeAsync(INode? node, IProvideMetadata? provider, ValidationContext context, OperationType? operationType)`
`160`	`168`	`{`
`161`	`169`	`var policyNames = provider?.GetPolicies();`
`162`	`170`
`@@ -190,9 +198,10 @@ private async Task AuthorizeAsync(INode node, IProvideMetadata provider, Validat`
`190`	`198`	`/// <summary>`
`191`	`199`	`/// Adds an authorization failure error to the document response`
`192`	`200`	`/// </summary>`
`193`		`- protected virtual void AddValidationError(INode node, ValidationContext context, OperationType? operationType, AuthorizationResult result)`
	`201`	`+ protected virtual void AddValidationError(INode? node, ValidationContext context, OperationType? operationType, AuthorizationResult result)`
`194`	`202`	`{`
`195`		`- context.ReportError(new AuthorizationError(node, context, operationType, result));`
	`203`	`+ string message = _messageBuilder.GenerateMessage(operationType, result);`
	`204`	`+ context.ReportError(new AuthorizationError(node, context, message, result, operationType));`
`196`	`205`	`}`
`197`	`206`	`}`
`198`	`207`	`}`