Skip to content

chore: add more authorization directive tests#2454

Merged
Aenimus merged 4 commits intomainfrom
david/eng-8774-add-authorization-tests
Jan 15, 2026
Merged

chore: add more authorization directive tests#2454
Aenimus merged 4 commits intomainfrom
david/eng-8774-add-authorization-tests

Conversation

@Aenimus
Copy link
Copy Markdown
Member

@Aenimus Aenimus commented Jan 14, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • New Features

    • Exported INTERFACE and OBJECT constants in the public API to support authorization directive configurations.

  • Tests

    • Expanded and reorganized tests for @authenticated and @requiresScopes across Enums, Interfaces, Objects, Scalars and numerous federated/subgraph scenarios to cover many combinations and edge cases.

✏️ Tip: You can customize this high-level summary in your review settings.

Checklist

  • I have discussed my proposed changes in an issue and have received approval to proceed.
  • I have followed the coding standards of the project.
  • Tests or benchmarks have been added or updated.
  • Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
  • I have read the Contributors Guide.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Jan 14, 2026
edited
Loading

Walkthrough

The authorization-directives test file was restructured and greatly expanded; two new public API constants, INTERFACE and OBJECT, were added to exports. Tests now include broader @authenticated and @requiresScopes coverage with many new federated subgraph definitions exercising multiple type kinds.

Changes

Cohort / File(s) Summary
Authorization directive tests & public API exports
composition/tests/v1/directives/authorization-directives.test.ts		 Reorganized tests into @authenticated and @requiresScopes describe blocks; added many new federated subgraph definitions (e.g., fiaa, fiab, fjaa, fjab, fkaa, fkab, flaa, flab, ...); updated assertions and imports to use newly exported INTERFACE and OBJECT constants; expanded coverage across Enum, Interface, Object, and Scalar kinds.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: adding more authorization directive tests, which aligns with the significant test expansion in the authorization-directives.test.ts file.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c4d4173 and b39a159.

📒 Files selected for processing (1)
  • composition/tests/v1/directives/authorization-directives.test.ts
🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings 
Learnt from: JivusAyrus
Repo: wundergraph/cosmo PR: 2156
File: controlplane/src/core/repositories/SubgraphRepository.ts:1749-1751
Timestamp: 2025-08-29T10:28:04.846Z
Learning: In the controlplane codebase, authentication and authorization checks (including organization scoping) are handled at the service layer in files like unlinkSubgraph.ts before calling repository methods. Repository methods like unlinkSubgraph() in SubgraphRepository.ts can focus purely on data operations without redundant security checks.

Learnt from: JivusAyrus
Repo: wundergraph/cosmo PR: 2156
File: controlplane/src/core/repositories/SubgraphRepository.ts:1749-1751
Timestamp: 2025-08-29T10:28:04.846Z
Learning: In the controlplane codebase, authentication and authorization checks (including organization scoping) are handled at the service layer in files like unlinkSubgraph.ts before calling repository methods. Repository methods like unlinkSubgraph() in SubgraphRepository.ts can focus purely on data operations without redundant security checks.
📚 Learning: 2025-09-08T20:57:07.946Z 
Learnt from: JivusAyrus
Repo: wundergraph/cosmo PR: 2156
File: controlplane/src/core/repositories/SubgraphRepository.ts:1746-1763
Timestamp: 2025-09-08T20:57:07.946Z
Learning: The checkSubgraphSchema.ts file already correctly implements linked subgraph functionality, using byName(linkedSubgraph.name, linkedSubgraph.namespace) to fetch target subgraphs and properly handles parse(newSchemaSDL) for schema building. The implementation doesn't need fixes for byId usage or schema parsing as it's already correct.

Applied to files:

  • composition/tests/v1/directives/authorization-directives.test.ts
📚 Learning: 2025-08-29T10:28:04.846Z 
Learnt from: JivusAyrus
Repo: wundergraph/cosmo PR: 2156
File: controlplane/src/core/repositories/SubgraphRepository.ts:1749-1751
Timestamp: 2025-08-29T10:28:04.846Z
Learning: In the controlplane codebase, authentication and authorization checks (including organization scoping) are handled at the service layer in files like unlinkSubgraph.ts before calling repository methods. Repository methods like unlinkSubgraph() in SubgraphRepository.ts can focus purely on data operations without redundant security checks.

Applied to files:

  • composition/tests/v1/directives/authorization-directives.test.ts
📚 Learning: 2025-08-28T09:17:49.477Z 
Learnt from: endigma
Repo: wundergraph/cosmo PR: 2141
File: router-tests/http_subscriptions_test.go:17-55
Timestamp: 2025-08-28T09:17:49.477Z
Learning: The Cosmo router uses a custom, intentionally rigid multipart implementation for GraphQL subscriptions. The multipart parsing in test files should remain strict and not be made more tolerant, as this rigidity is by design.

Applied to files:

  • composition/tests/v1/directives/authorization-directives.test.ts
🧬 Code graph analysis (1)
composition/tests/v1/directives/authorization-directives.test.ts (7)
composition/src/router-compatibility-version/router-compatibility-version.ts (1)
  • ROUTER_COMPATIBILITY_VERSION_ONE (3-3)
composition/src/utils/string-constants.ts (3)
  • QUERY (117-117)
  • INTERFACE (77-77)
  • OBJECT (107-107)
composition/tests/v1/utils/utils.ts (1)
  • SCHEMA_QUERY_DEFINITION (158-162)
composition/src/errors/errors.ts (1)
  • orScopesLimitError (898-905)
composition/src/v1/constants/constants.ts (1)
  • MAX_OR_SCOPES (136-136)
composition/src/subgraph/types.ts (1)
  • Subgraph (18-22)
composition/src/ast/utils.ts (1)
  • parse (272-274)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)
  • GitHub Check: build_test
  • GitHub Check: build_push_image
  • GitHub Check: build_test
  • GitHub Check: build_test
  • GitHub Check: build_push_image
  • GitHub Check: Analyze (javascript-typescript)
  • GitHub Check: Analyze (go)
🔇 Additional comments (4)
composition/tests/v1/directives/authorization-directives.test.ts (4)

2-13: LGTM! Imports look correct.

The new INTERFACE and OBJECT imports are properly sourced from ../../../src and are used in the test assertions (lines 779 and 819 respectively).

512-840: LGTM! Well-structured @authenticated test suite.

The test cases comprehensively cover @authenticated directive behavior across different GraphQL type kinds (Enum, Interface, Object, Scalar) and field locations (Interface field, Object field). The assertions properly validate both fieldConfigurations and the resulting federated schema.

842-1018: LGTM! Comprehensive @requiresScopes test coverage.

The test cases properly cover scope persistence, interface field isolation behavior, error handling for scope limits, and inter-subgraph scope reduction scenarios. The bidirectional tests (e.g., [fqab, fqaa] and [fqac, fqaa]) are valuable for verifying order-independent federation behavior.

2294-2503: LGTM! Well-defined test subgraphs.

The new subgraph definitions properly cover various authorization scenarios:

  • Enum/Interface/Object/Scalar types with @authenticated
  • Field-level @authenticated on Interface and Object
  • @requiresScopes with interface field isolation
  • Inter-subgraph scope reduction with @shareable Query types

The federation directives (@shareable, @key) are correctly applied where needed for valid composition.

Also applies to: 2529-2557

✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link
Copy Markdown

codecov bot commented Jan 14, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 37.66%. Comparing base (8721174) to head (b39a159).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #2454       +/-   ##
===========================================
- Coverage   60.84%   37.66%   -23.19%     
===========================================
  Files         229      769      +540     
  Lines       23839   114353    +90514     
  Branches        0     7869     +7869     
===========================================
+ Hits        14504    43066    +28562     
- Misses       8089    70928    +62839     
+ Partials     1246      359      -887

see 998 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai[bot]
coderabbitai bot reviewed Jan 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In `@composition/tests/v1/directives/authorization-directives.test.ts`:
- Around line 841-873: Remove the duplicate test whose description is "that
`@authenticated` on an Object field generates the correct router configuration"
(the second occurrence), or change it to cover a different scenario; locate the
test using the same call to federateSubgraphsSuccess([fnaa, fnab],
ROUTER_COMPATIBILITY_VERSION_ONE) and the same assertions against
fieldConfigurations and schemaToSortedNormalizedString/normalizeString that
reference OBJECT and AUTHENTICATED_DIRECTIVE, then either delete that block or
replace it with a distinct case (e.g., test a different type kind or directive
combination) so only one test asserts this exact behavior.
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 08bcfb5 and 6a794de.

📒 Files selected for processing (1)
  • composition/tests/v1/directives/authorization-directives.test.ts
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2025-09-08T20:57:07.946Z 
Learnt from: JivusAyrus
Repo: wundergraph/cosmo PR: 2156
File: controlplane/src/core/repositories/SubgraphRepository.ts:1746-1763
Timestamp: 2025-09-08T20:57:07.946Z
Learning: The checkSubgraphSchema.ts file already correctly implements linked subgraph functionality, using byName(linkedSubgraph.name, linkedSubgraph.namespace) to fetch target subgraphs and properly handles parse(newSchemaSDL) for schema building. The implementation doesn't need fixes for byId usage or schema parsing as it's already correct.

Applied to files:

  • composition/tests/v1/directives/authorization-directives.test.ts
📚 Learning: 2025-08-28T09:17:49.477Z 
Learnt from: endigma
Repo: wundergraph/cosmo PR: 2141
File: router-tests/http_subscriptions_test.go:17-55
Timestamp: 2025-08-28T09:17:49.477Z
Learning: The Cosmo router uses a custom, intentionally rigid multipart implementation for GraphQL subscriptions. The multipart parsing in test files should remain strict and not be made more tolerant, as this rigidity is by design.

Applied to files:

  • composition/tests/v1/directives/authorization-directives.test.ts
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)
  • GitHub Check: build_push_image
  • GitHub Check: build_test
  • GitHub Check: build_test
  • GitHub Check: build_push_image
  • GitHub Check: Analyze (go)
🔇 Additional comments (3)
composition/tests/v1/directives/authorization-directives.test.ts (3)

1-13: LGTM!

The new imports of INTERFACE and OBJECT constants are correctly added and properly used in the test assertions for the router configuration checks.

876-1000: LGTM!

The @requiresScopes tests are well-structured with comprehensive coverage:

  • Persistence in federated schema
  • Interface field behavior with implementations
  • Error handling for scope limits with both subgraph orderings

2276-2485: LGTM!

The new subgraph definitions are well-organized and provide comprehensive test coverage for authorization directives across different GraphQL type kinds (Enum, Interface, Object, Scalar) and their fields. The naming convention (fiaa/fiab, fjaa/fjab, etc.) is consistent and allows for easy pairing in federation tests.

✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.

coderabbitai[bot]
coderabbitai bot reviewed Jan 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In `@composition/tests/v1/directives/authorization-directives.test.ts`:
- Around line 2539-2561: Remove the unused Subgraph definitions fpaa and fpab
(the constants fpaa and fpab that call parse(...) to set definitions and names)
from the test file since they are not referenced by any test; alternatively, if
they are meant to be exercised, add explicit test cases that import/instantiate
these symbols and assert their expected behavior instead of leaving the unused
constants in the file.
♻️ Duplicate comments (1)
composition/tests/v1/directives/authorization-directives.test.ts (1)

841-873: Duplicate test case detected.

This test is identical to the test at lines 807-839—same description, same subgraphs [fnaa, fnab], and same assertions. Remove this duplicate or update it to test a different scenario.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6a794de and c4d4173.

📒 Files selected for processing (1)
  • composition/tests/v1/directives/authorization-directives.test.ts
🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings 
Learnt from: JivusAyrus
Repo: wundergraph/cosmo PR: 2156
File: controlplane/src/core/repositories/SubgraphRepository.ts:1749-1751
Timestamp: 2025-08-29T10:28:04.846Z
Learning: In the controlplane codebase, authentication and authorization checks (including organization scoping) are handled at the service layer in files like unlinkSubgraph.ts before calling repository methods. Repository methods like unlinkSubgraph() in SubgraphRepository.ts can focus purely on data operations without redundant security checks.

Learnt from: JivusAyrus
Repo: wundergraph/cosmo PR: 2156
File: controlplane/src/core/repositories/SubgraphRepository.ts:1749-1751
Timestamp: 2025-08-29T10:28:04.846Z
Learning: In the controlplane codebase, authentication and authorization checks (including organization scoping) are handled at the service layer in files like unlinkSubgraph.ts before calling repository methods. Repository methods like unlinkSubgraph() in SubgraphRepository.ts can focus purely on data operations without redundant security checks.
📚 Learning: 2025-09-08T20:57:07.946Z 
Learnt from: JivusAyrus
Repo: wundergraph/cosmo PR: 2156
File: controlplane/src/core/repositories/SubgraphRepository.ts:1746-1763
Timestamp: 2025-09-08T20:57:07.946Z
Learning: The checkSubgraphSchema.ts file already correctly implements linked subgraph functionality, using byName(linkedSubgraph.name, linkedSubgraph.namespace) to fetch target subgraphs and properly handles parse(newSchemaSDL) for schema building. The implementation doesn't need fixes for byId usage or schema parsing as it's already correct.

Applied to files:

  • composition/tests/v1/directives/authorization-directives.test.ts
📚 Learning: 2025-08-28T09:17:49.477Z 
Learnt from: endigma
Repo: wundergraph/cosmo PR: 2141
File: router-tests/http_subscriptions_test.go:17-55
Timestamp: 2025-08-28T09:17:49.477Z
Learning: The Cosmo router uses a custom, intentionally rigid multipart implementation for GraphQL subscriptions. The multipart parsing in test files should remain strict and not be made more tolerant, as this rigidity is by design.

Applied to files:

  • composition/tests/v1/directives/authorization-directives.test.ts
📚 Learning: 2025-08-29T10:28:04.846Z 
Learnt from: JivusAyrus
Repo: wundergraph/cosmo PR: 2156
File: controlplane/src/core/repositories/SubgraphRepository.ts:1749-1751
Timestamp: 2025-08-29T10:28:04.846Z
Learning: In the controlplane codebase, authentication and authorization checks (including organization scoping) are handled at the service layer in files like unlinkSubgraph.ts before calling repository methods. Repository methods like unlinkSubgraph() in SubgraphRepository.ts can focus purely on data operations without redundant security checks.

Applied to files:

  • composition/tests/v1/directives/authorization-directives.test.ts
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)
  • GitHub Check: build_push_image
  • GitHub Check: build_test
  • GitHub Check: build_push_image
  • GitHub Check: build_test
  • GitHub Check: build_test
  • GitHub Check: Analyze (javascript-typescript)
  • GitHub Check: Analyze (go)
🔇 Additional comments (4)
composition/tests/v1/directives/authorization-directives.test.ts (4)

5-7: LGTM!

The newly exported INTERFACE and OBJECT constants are properly imported and used in the test assertions for typeName fields in the fieldConfigurations.

876-1051: LGTM!

The new @requiresScopes tests describe block is well-organized with clear test coverage for:

  • Schema persistence
  • Interface field scope isolation from implementations
  • Error handling for scope limits
  • Inter-subgraph scope reduction

2328-2537: LGTM!

The new subgraph definitions are well-structured and provide comprehensive test coverage for @authenticated directive across different GraphQL type kinds (Enum, Interface, Object, Scalar) and their fields.

2563-2591: LGTM!

The inter-subgraph scope test fixtures (fqaa, fqab, fqac) are correctly designed to verify scope reduction logic:

  • fqaa and fqab with identical scopes test merge behavior
  • fqac with an additional scope tests intersection (requiredScopes) vs. union (requiredScopesByOR) semantics

✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.

@Aenimus Aenimus enabled auto-merge (squash) January 15, 2026 11:33
@Aenimus Aenimus merged commit 24d0709 into main Jan 15, 2026
25 checks passed
@Aenimus Aenimus deleted the david/eng-8774-add-authorization-tests branch January 15, 2026 11:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@thisisnithin thisisnithin thisisnithin approved these changes

@JivusAyrus JivusAyrus Awaiting requested review from JivusAyrus JivusAyrus is a code owner

@StarpTech StarpTech Awaiting requested review from StarpTech StarpTech is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Aenimus @thisisnithin