test(auth): add bearer token authentication integration tests#686
Closed
pyramation wants to merge 11 commits intodevelop-v5from
Closed
test(auth): add bearer token authentication integration tests#686pyramation wants to merge 11 commits intodevelop-v5from
pyramation wants to merge 11 commits intodevelop-v5from
Conversation
- Add RLS_MODULE_SQL query to fetch RLS module data with private schema name - Add api_id to DOMAIN_LOOKUP_SQL and API_NAME_LOOKUP_SQL queries - Add RlsModuleRow interface for type safety - Add queryRlsModule function to fetch RLS module by API ID - Add toRlsModule helper to convert database row to RlsModule interface - Update toApiStructure to accept and include RLS module data - Update resolveApiNameHeader and resolveDomainLookup to fetch RLS module This enables the authentication middleware (auth.ts) to access the rlsModule data (authenticate, authenticateStrict, privateSchema) which is required for PostGraphile v5 authentication flow.
…Graphile v5 The grafast.context callback receives a RequestContext object, not a generic context. In grafserv/express/v4, the Express request is available at requestContext.expressv4.req, not ctx.node.req. This was preventing the authentication middleware from properly passing the token to the GraphQL context, causing bearer token authentication to fail silently (always using anonRole instead of roleName).
…ture The grafast.context callback expects Partial<Grafast.RequestContext>, not the full Grafast.RequestContext type.
Added INFO-level logging throughout the auth middleware to help debug authentication issues: - Log when middleware is called and whether api is present - Log RLS module details (authenticate, authenticateStrict, privateSchema) - Log authFn selection and strictAuth setting - Log authorization header parsing - Log the actual auth query being executed - Log query results and success/failure - Log when skipping auth due to missing config
The RLS module table is in metaschema_modules_public.rls_module, not services_public.rls_module. This was causing the RLS module query to return null, which made authentication skip entirely.
Simplified query functions to just call pool.query() directly without try/catch blocks that silently swallow 'does not exist' errors. Errors should propagate so issues are visible, not hidden.
…rer-token-auth-test
Add comprehensive tests for bearer token authentication with mocked RLS module: - Create auth-seed SQL fixtures with users, tokens, and authenticate functions - Test valid/invalid/expired tokens via domain and X-Api-Name headers - Test unauthenticated requests use anonymous role - Test authenticated mutations
Contributor
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds comprehensive integration tests for bearer token authentication with a mocked RLS module and authenticate functions. This PR builds on top of PR #684 (RLS module support for PostGraphile v5) and provides test coverage for the authentication flow.
New test fixtures (
auth-seed/):setup.sql: Creates metaschema tables, services_public tables, and rls_module tableschema.sql: Creates test users/tokens tables and mockauthenticate/authenticate_strictfunctionstest-data.sql: Seeds test users, tokens (valid, expired), and RLS module configurationTest scenarios (
auth.integration.test.ts):Updates since last revision
UNAUTHENTICATEDerror response instead of dataReview & Testing Checklist for Human
res.body.errors[0].extensions.code === 'UNAUTHENTICATED'for invalid/expired tokens. Confirm this matches the actual auth.ts middleware response format.authenticatefunction returns(token_id, user_id, role, exp). Confirm this matches whatauth.tsexpects from the query result.Recommended test plan:
cd graphql/server-test && pnpm test -- auth.integrationcurrent_setting('role'))Notes
simple-seed-servicesfixturesLink to Devin run: https://app.devin.ai/sessions/c0c4671ef1dd48199e62c4bd403dd3c5
Requested by: Dan Lynch (@pyramation)