Merge pull request #4868 from rmosolgo/fix-unauthorized-args-during-complexity

Handle unauthorized argument errors properly during complexity analysis

Author: rmosolgo

lib/graphql/analysis/ast.rb

@@ -81,6 +81,9 @@ def analyze_query(query, analyzers, multiplex_analyzers: [])
         end
       rescue Timeout::Error
         [GraphQL::AnalysisError.new("Timeout on validation of query")]
+      rescue GraphQL::UnauthorizedError
+        # This error was raised during analysis and will be returned the client before execution
+        []
       end
 
       def analysis_errors(results)

lib/graphql/schema/field.rb

@@ -471,6 +471,8 @@ def calculate_complexity(query:, nodes:, child_complexity:)
             if arguments[:last] && (max_possible_page_size.nil? || arguments[:last] > max_possible_page_size)
               max_possible_page_size = arguments[:last]
             end
+          elsif arguments.is_a?(GraphQL::UnauthorizedError)
+            raise arguments
           end
 
           if max_possible_page_size.nil?

spec/graphql/analysis/ast/max_query_complexity_spec.rb

@@ -145,4 +145,50 @@
       end
     end
   end
+
+  describe "when an argument is unauthorized by type" do
+    class AuthorizedTypeSchema < GraphQL::Schema
+      class Thing < GraphQL::Schema::Object
+        def self.authorized?(obj, ctx)
+          !!ctx[:authorized] && super
+        end
+        field :name, String
+      end
+
+      class Query < GraphQL::Schema::Object
+        field :things, Thing.connection_type do
+          argument :thing_id, ID, loads: Thing
+        end
+
+        def things(thing:)
+          [thing]
+        end
+      end
+
+      query(Query)
+      def self.resolve_type(abs_type, object, ctx)
+        Thing
+      end
+
+      def self.object_from_id(id, ctx)
+        { name: "Loaded thing #{id}" }
+      end
+
+      def self.unauthorized_object(err)
+        raise GraphQL::ExecutionError, "Unauthorized Object: #{err.object[:name].inspect}"
+      end
+
+      default_max_page_size 30
+      max_complexity 10
+    end
+
+    it "when the arg is unauthorized, returns an authorization error, not a complexity error" do
+      query_str = "{ things(thingId: \"123\", first: 1) { nodes { name } } }"
+      res = AuthorizedTypeSchema.execute(query_str, context: { authorized: true })
+      assert_equal "Loaded thing 123", res["data"]["things"]["nodes"].first["name"]
+
+      res2 = AuthorizedTypeSchema.execute(query_str)
+      assert_equal ["Unauthorized Object: \"Loaded thing 123\""], res2["errors"].map { |e| e["message"] }
+    end
+  end
 end