thecodingmachine
diff --git a/‎src/InputField.php
Lines changed: 0 additions & 20 deletions b/‎src/InputField.php
Lines changed: 0 additions & 20 deletions
diff --git a/‎src/Middlewares/AuthorizationFieldMiddleware.php
Lines changed: 30 additions & 16 deletions b/‎src/Middlewares/AuthorizationFieldMiddleware.php
Lines changed: 30 additions & 16 deletions
diff --git a/‎src/Middlewares/AuthorizationInputFieldMiddleware.php
Lines changed: 19 additions & 3 deletions b/‎src/Middlewares/AuthorizationInputFieldMiddleware.php
Lines changed: 19 additions & 3 deletions
diff --git a/‎src/QueryField.php
Lines changed: 1 addition & 20 deletions b/‎src/QueryField.php
Lines changed: 1 addition & 20 deletions
diff --git a/‎tests/Middlewares/AuthorizationFieldMiddlewareTest.php
Lines changed: 93 additions & 16 deletions b/‎tests/Middlewares/AuthorizationFieldMiddlewareTest.php
Lines changed: 93 additions & 16 deletions
@@ -13,7 +13,6 @@
 use GraphQL\Type\Definition\ResolveInfo;
 use GraphQL\Type\Definition\Type;
 use TheCodingMachine\GraphQLite\Exceptions\GraphQLAggregateException;
-use TheCodingMachine\GraphQLite\Middlewares\MissingAuthorizationException;
 use TheCodingMachine\GraphQLite\Middlewares\ResolverInterface;
 use TheCodingMachine\GraphQLite\Middlewares\SourceResolverInterface;
 use TheCodingMachine\GraphQLite\Parameters\MissingArgumentException;
@@ -123,25 +122,6 @@ public function forConstructorHydration(): bool
         return $this->forConstructorHydration;
     }
 
-    /**
-     * @param bool $isNotLogged False if the user is logged (and the error is a 403), true if the error is unlogged (the error is a 401)
-     *
-     * @return InputField
-     */
-    public static function unauthorizedError(InputFieldDescriptor $fieldDescriptor, bool $isNotLogged): self
-    {
-        $callable = static function () use ($isNotLogged): void {
-            if ($isNotLogged) {
-                throw MissingAuthorizationException::unauthorized();
-            }
-            throw MissingAuthorizationException::forbidden();
-        };
-
-        $fieldDescriptor->setResolver($callable);
-
-        return self::fromDescriptor($fieldDescriptor);
-    }
-
     private static function fromDescriptor(InputFieldDescriptor $fieldDescriptor): self
     {
         return new self(
 
@@ -12,7 +12,6 @@
 use TheCodingMachine\GraphQLite\Annotations\HideIfUnauthorized;
 use TheCodingMachine\GraphQLite\Annotations\Logged;
 use TheCodingMachine\GraphQLite\Annotations\Right;
-use TheCodingMachine\GraphQLite\QueryField;
 use TheCodingMachine\GraphQLite\QueryFieldDescriptor;
 use TheCodingMachine\GraphQLite\Security\AuthenticationServiceInterface;
 use TheCodingMachine\GraphQLite\Security\AuthorizationServiceInterface;
@@ -39,8 +38,19 @@ public function process(QueryFieldDescriptor $queryFieldDescriptor, FieldHandler
         $rightAnnotation = $annotations->getAnnotationByType(Right::class);
         assert($rightAnnotation === null || $rightAnnotation instanceof Right);
 
+        // Avoid wrapping resolver callback when no annotations are specified.
+        if (! $loggedAnnotation && ! $rightAnnotation) {
+            return $fieldHandler->handle($queryFieldDescriptor);
+        }
+
         $failWith = $annotations->getAnnotationByType(FailWith::class);
         assert($failWith === null || $failWith instanceof FailWith);
+        $hideIfUnauthorized = $annotations->getAnnotationByType(HideIfUnauthorized::class);
+        assert($hideIfUnauthorized instanceof HideIfUnauthorized || $hideIfUnauthorized === null);
+
+        if ($failWith !== null && $hideIfUnauthorized !== null) {
+            throw IncompatibleAnnotationsException::cannotUseFailWithAndHide();
+        }
 
         // If the failWith value is null and the return type is non-nullable, we must set it to nullable.
         $type = $queryFieldDescriptor->getType();
@@ -50,28 +60,32 @@ public function process(QueryFieldDescriptor $queryFieldDescriptor, FieldHandler
             $queryFieldDescriptor->setType($type);
         }
 
-        if ($this->isAuthorized($loggedAnnotation, $rightAnnotation)) {
-            return $fieldHandler->handle($queryFieldDescriptor);
+        // When using the same Schema instance for multiple subsequent requests, this middleware will only
+        // get called once, meaning #[HideIfUnauthorized] only works when Schema is used for a single request
+        // and then discarded. This check is to keep the latter case working.
+        if ($hideIfUnauthorized !== null && ! $this->isAuthorized($loggedAnnotation, $rightAnnotation)) {
+            return null;
         }
 
-        $hideIfUnauthorized = $annotations->getAnnotationByType(HideIfUnauthorized::class);
-        assert($hideIfUnauthorized instanceof HideIfUnauthorized || $hideIfUnauthorized === null);
+        $resolver = $queryFieldDescriptor->getResolver();
 
-        if ($failWith !== null && $hideIfUnauthorized !== null) {
-            throw IncompatibleAnnotationsException::cannotUseFailWithAndHide();
-        }
+        $queryFieldDescriptor->setResolver(function (...$args) use ($rightAnnotation, $loggedAnnotation, $failWith, $resolver) {
+            if ($this->isAuthorized($loggedAnnotation, $rightAnnotation)) {
+                return $resolver(...$args);
+            }
 
-        if ($failWith !== null) {
-            $failWithValue = $failWith->getValue();
+            if ($failWith !== null) {
+                return $failWith->getValue();
+            }
 
-            return QueryField::alwaysReturn($queryFieldDescriptor, $failWithValue);
-        }
+            if ($loggedAnnotation !== null && ! $this->authenticationService->isLogged()) {
+                throw MissingAuthorizationException::unauthorized();
+            }
 
-        if ($hideIfUnauthorized !== null) {
-            return null;
-        }
+            throw MissingAuthorizationException::forbidden();
+        });
 
-        return QueryField::unauthorizedError($queryFieldDescriptor, $loggedAnnotation !== null && ! $this->authenticationService->isLogged());
+        return $fieldHandler->handle($queryFieldDescriptor);
     }
 
     /**
 
@@ -36,17 +36,33 @@ public function process(InputFieldDescriptor $inputFieldDescriptor, InputFieldHa
         $rightAnnotation = $annotations->getAnnotationByType(Right::class);
         assert($rightAnnotation === null || $rightAnnotation instanceof Right);
 
-        if ($this->isAuthorized($loggedAnnotation, $rightAnnotation)) {
+        // Avoid wrapping resolver callback when no annotations are specified.
+        if (! $loggedAnnotation && ! $rightAnnotation) {
             return $inputFieldHandler->handle($inputFieldDescriptor);
         }
 
         $hideIfUnauthorized = $annotations->getAnnotationByType(HideIfUnauthorized::class);
         assert($hideIfUnauthorized instanceof HideIfUnauthorized || $hideIfUnauthorized === null);
 
-        if ($hideIfUnauthorized !== null) {
+        if ($hideIfUnauthorized !== null && ! $this->isAuthorized($loggedAnnotation, $rightAnnotation)) {
             return null;
         }
-        return InputField::unauthorizedError($inputFieldDescriptor, $loggedAnnotation !== null && ! $this->authenticationService->isLogged());
+
+        $resolver = $inputFieldDescriptor->getResolver();
+
+        $inputFieldDescriptor->setResolver(function (...$args) use ($rightAnnotation, $loggedAnnotation, $resolver) {
+            if ($this->isAuthorized($loggedAnnotation, $rightAnnotation)) {
+                return $resolver(...$args);
+            }
+
+            if ($loggedAnnotation !== null && ! $this->authenticationService->isLogged()) {
+                throw MissingAuthorizationException::unauthorized();
+            }
+
+            throw MissingAuthorizationException::forbidden();
+        });
+
+        return $inputFieldHandler->handle($inputFieldDescriptor);
     }
 
     /**
 
@@ -15,7 +15,6 @@
 use GraphQL\Type\Definition\Type;
 use TheCodingMachine\GraphQLite\Context\ContextInterface;
 use TheCodingMachine\GraphQLite\Exceptions\GraphQLAggregateException;
-use TheCodingMachine\GraphQLite\Middlewares\MissingAuthorizationException;
 use TheCodingMachine\GraphQLite\Middlewares\ResolverInterface;
 use TheCodingMachine\GraphQLite\Middlewares\SourceResolverInterface;
 use TheCodingMachine\GraphQLite\Parameters\MissingArgumentException;
@@ -143,6 +142,7 @@ public function __construct(string $name, OutputType $type, array $arguments, Re
         }
 
         $config += $additionalConfig;
+
         parent::__construct($config);
     }
 
@@ -186,25 +186,6 @@ public static function alwaysReturn(QueryFieldDescriptor $fieldDescriptor, mixed
         return self::fromDescriptor($fieldDescriptor);
     }
 
-    /**
-     * @param bool $isNotLogged False if the user is logged (and the error is a 403), true if the error is unlogged (the error is a 401)
-     *
-     * @return QueryField
-     */
-    public static function unauthorizedError(QueryFieldDescriptor $fieldDescriptor, bool $isNotLogged): self
-    {
-        $callable = static function () use ($isNotLogged): void {
-            if ($isNotLogged) {
-                throw MissingAuthorizationException::unauthorized();
-            }
-            throw MissingAuthorizationException::forbidden();
-        };
-
-        $fieldDescriptor->setResolver($callable);
-
-        return self::fromDescriptor($fieldDescriptor);
-    }
-
     private static function fromDescriptor(QueryFieldDescriptor $fieldDescriptor): self
     {
         $type = $fieldDescriptor->getType();
 
@@ -3,43 +3,120 @@
 namespace TheCodingMachine\GraphQLite\Middlewares;
 
 use GraphQL\Type\Definition\FieldDefinition;
-use PHPUnit\Framework\TestCase;
-use ReflectionMethod;
 use TheCodingMachine\GraphQLite\AbstractQueryProviderTest;
 use TheCodingMachine\GraphQLite\Annotations\Exceptions\IncompatibleAnnotationsException;
 use TheCodingMachine\GraphQLite\Annotations\FailWith;
 use TheCodingMachine\GraphQLite\Annotations\HideIfUnauthorized;
 use TheCodingMachine\GraphQLite\Annotations\Logged;
+use TheCodingMachine\GraphQLite\Annotations\MiddlewareAnnotationInterface;
+use TheCodingMachine\GraphQLite\Annotations\MiddlewareAnnotations;
+use TheCodingMachine\GraphQLite\Annotations\Right;
 use TheCodingMachine\GraphQLite\QueryFieldDescriptor;
+use TheCodingMachine\GraphQLite\Security\AuthenticationServiceInterface;
+use TheCodingMachine\GraphQLite\Security\AuthorizationServiceInterface;
 use TheCodingMachine\GraphQLite\Security\VoidAuthenticationService;
 use TheCodingMachine\GraphQLite\Security\VoidAuthorizationService;
 
 class AuthorizationFieldMiddlewareTest extends AbstractQueryProviderTest
 {
+    public function testReturnsResolversValueWhenAuthorized(): void
+    {
+        $authenticationService = $this->createMock(AuthenticationServiceInterface::class);
+        $authenticationService->method('isLogged')
+            ->willReturn(true);
+        $authorizationService = $this->createMock(AuthorizationServiceInterface::class);
+        $authorizationService->method('isAllowed')
+            ->willReturn(true);
+        $middleware = new AuthorizationFieldMiddleware($authenticationService, $authorizationService);
+
+        $descriptor = $this->stubDescriptor([new Logged(), new Right('test')]);
+        $descriptor->setResolver(fn () => 123);
+
+        $field = $middleware->process($descriptor, $this->stubFieldHandler());
+
+        self::assertNotNull($field);
+        self::assertSame(123, ($field->resolveFn)());
+    }
+
 
-    public function testException(): void
+    public function testFailsForHideIfUnauthorizedAndFailWith(): void
     {
         $middleware = new AuthorizationFieldMiddleware(new VoidAuthenticationService(), new VoidAuthorizationService());
 
-        $descriptor = new QueryFieldDescriptor();
-        $descriptor->setMiddlewareAnnotations($this->getAnnotationReader()->getMiddlewareAnnotations(new ReflectionMethod(__CLASS__, 'stub')));
-
         $this->expectException(IncompatibleAnnotationsException::class);
-        $middleware->process($descriptor, new class implements FieldHandlerInterface {
-            public function handle(QueryFieldDescriptor $fieldDescriptor): ?FieldDefinition
-            {
-                return FieldDefinition::create(['name'=>'foo']);
-            }
-        });
+        $middleware->process($this->stubDescriptor([new Logged(), new HideIfUnauthorized(), new FailWith(value: 123)]), $this->stubFieldHandler());
+    }
+
+    public function testHidesFieldForHideIfUnauthorized(): void
+    {
+        $middleware = new AuthorizationFieldMiddleware(new VoidAuthenticationService(), new VoidAuthorizationService());
+
+        $field = $middleware->process($this->stubDescriptor([new Logged(), new HideIfUnauthorized()]), $this->stubFieldHandler());
+
+        self::assertNull($field);
+    }
+
+    public function testReturnsFailsWithValueWhenNotAuthorized(): void
+    {
+        $middleware = new AuthorizationFieldMiddleware(new VoidAuthenticationService(), new VoidAuthorizationService());
+
+        $field = $middleware->process($this->stubDescriptor([new Logged(), new FailWith(value: 123)]), $this->stubFieldHandler());
+
+        self::assertNotNull($field);
+        self::assertSame(123, ($field->resolveFn)());
+    }
+
+    public function testThrowsUnauthorizedExceptionWhenNotAuthorized(): void
+    {
+        $middleware = new AuthorizationFieldMiddleware(new VoidAuthenticationService(), new VoidAuthorizationService());
+
+        $field = $middleware->process($this->stubDescriptor([new Logged()]), $this->stubFieldHandler());
+
+        self::assertNotNull($field);
+
+        $this->expectExceptionObject(MissingAuthorizationException::unauthorized());
+
+        ($field->resolveFn)();
+    }
+
+    public function testThrowsForbiddenExceptionWhenNotAuthorized(): void
+    {
+        $authenticationService = $this->createMock(AuthenticationServiceInterface::class);
+        $authenticationService->method('isLogged')
+            ->willReturn(true);
+        $middleware = new AuthorizationFieldMiddleware($authenticationService, new VoidAuthorizationService());
+
+        $field = $middleware->process($this->stubDescriptor([new Logged(), new Right('test')]), $this->stubFieldHandler());
+
+        self::assertNotNull($field);
+
+        $this->expectExceptionObject(MissingAuthorizationException::forbidden());
+
+        ($field->resolveFn)();
     }
 
     /**
-     * @Logged()
-     * @HideIfUnauthorized()
-     * @FailWith(null)
+     * @param MiddlewareAnnotationInterface[] $annotations
      */
-    public function stub()
+    private function stubDescriptor(array $annotations): QueryFieldDescriptor
     {
+        $descriptor = new QueryFieldDescriptor();
+        $descriptor->setMiddlewareAnnotations(new MiddlewareAnnotations($annotations));
+        $descriptor->setResolver(fn () => self::fail('Should not be called.'));
 
+        return $descriptor;
+    }
+
+    private function stubFieldHandler(): FieldHandlerInterface
+    {
+        return new class implements FieldHandlerInterface {
+            public function handle(QueryFieldDescriptor $fieldDescriptor): FieldDefinition|null
+            {
+                return new FieldDefinition([
+                    'name' => 'foo',
+                    'resolve' => $fieldDescriptor->getResolver(),
+                ]);
+            }
+        };
     }
 }