Skip to content

Add GraphQL customer authorization utilities (issue #761) #767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sehkone merged 2 commits into from
Jan 29, 2026
Merged

Add GraphQL customer authorization utilities (issue #761) #767

sehkone merged 2 commits into from
Jan 29, 2026
+606 −1

Conversation

@octoaide
Copy link
Contributor

@octoaide octoaide bot commented Jan 12, 2026

This PR implements a small helper module to centralize customer-scoping and authorization logic used by the GraphQL layer (graphql::auth), addressing issue #761.

Closes #761

Summary of changes:

  • Add new module src/graphql/auth.rs providing customer-scoping utilities for GraphQL handlers.

    • Public helpers:
      • is_admin(customer_ids: &Option<Vec>) -> bool
      • is_member(customer_ids: &Option<Vec>, customer_id: u32) -> bool
      • membership_intersection(customer_ids, items) -> Vec
      • filter_by_membership(customer_ids, iter, f) -> Vec
      • filter_by_customer_id(customer_ids, iter, f) -> Vec
      • unauthorized_error() -> async_graphql::Error
    • Admin semantics: customer_ids == None means administrator (full access).
    • Utilities support single-customer and multi-customer item filtering; admins bypass filters.
    • Returns a canonical GraphQL unauthorized error for use by handlers.

  • Export auth module from src/graphql.rs so it is available as crate::graphql::auth.

  • Add unit tests covering admin behavior, membership checks, intersection logic, iterator filtering, and unauthorized error.

  • Update CHANGELOG.md with an entry describing the new utilities.

Why this change:

  • Centralizes customer authorization concerns used across GraphQL resolvers.
  • Standardizes admin semantics and error handling to simplify downstream domain PRs and reduce duplication.

Files changed (high level):

  • src/graphql/auth.rs (new)
  • src/graphql.rs (export of auth module)
  • CHANGELOG.md (entry)

Notes:

  • Customer IDs use u32 to match existing codebase conventions.
  • The module exposes small, well-documented helpers designed for easy consumption by GraphQL resolvers and future domain PRs.

If you want any naming or API adjustments (e.g., using a different integer type for customer IDs), I can update the implementation accordingly.

@codecov
Copy link

codecov bot commented Jan 12, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 87.14653% with 50 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.13%. Comparing base (f2d6adc) to head (a196615).
⚠️ Report is 4 commits behind head on main.

Files with missing lines Patch % Lines
src/graphql.rs 79.42% 50 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #767      +/-   ##
==========================================
+ Coverage   75.91%   76.13%   +0.21%     
==========================================
  Files          72       73       +1     
  Lines       19935    20324     +389     
==========================================
+ Hits        15134    15473     +339     
- Misses       4801     4851      +50

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@danbi2990 danbi2990 self-requested a review January 12, 2026 02:19
@danbi2990 danbi2990 force-pushed the octoaide/issue-761-2026-01-12T01-01-36 branch 4 times, most recently from df808ee to cdc7a19 Compare January 13, 2026 01:30
@sophie-cluml sophie-cluml self-requested a review January 14, 2026 01:40
sophie-cluml
sophie-cluml reviewed Jan 15, 2026
View reviewed changes
Copy link
Contributor

@sophie-cluml sophie-cluml left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can see that PR contains common building block functions for upcoming tasks and I think it is highly beneficial to have robust testing that covers not just success paths, but also dangerous, edge, and boundary cases. I suggest adding the following two specific test cases, and I would like to ask you to also check if there are any other cases that should be covered.

  • process_load_edges_filtered : Verify that has_next/has_previous flags work correctly when all data is filtered out by the predicate, resulting in an empty list.
  • users_customers: It seems like we need test code for this.

@danbi2990 danbi2990 force-pushed the octoaide/issue-761-2026-01-12T01-01-36 branch from cdc7a19 to 1093774 Compare January 16, 2026 04:13
@danbi2990
Copy link
Contributor

danbi2990 commented Jan 16, 2026

Applied the suggested adjustment.

sophie-cluml
sophie-cluml reviewed Jan 17, 2026
View reviewed changes
src/graphql/customer_access.rs Outdated
let user = account_map
.get(username)?
.ok_or_else::<async_graphql::Error, _>(|| "User not found".into())?;
Ok(user.customer_ids.clone())
Copy link
Contributor

@sophie-cluml sophie-cluml Jan 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Ok(user.customer_ids.clone())
Ok(user.customer_ids)

Copy link
Contributor

@danbi2990 danbi2990 Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated accordingly.

@danbi2990 danbi2990 force-pushed the octoaide/issue-761-2026-01-12T01-01-36 branch from 1093774 to 4410458 Compare January 19, 2026 00:58
@octoaide
Copy link
Contributor Author

octoaide bot commented Jan 28, 2026

@sehkone — Friendly ping: PR #767 (Add GraphQL customer authorization utilities) is approved (final approval 2026-01-18), all CI/checks are passing, and the PR is not a draft. It has been ready for merge for more than 7 days but shows mergeable_state: blocked (branch protection rules preventing merge). Could you please take a look and either merge it or advise what action is needed (e.g., adjust branch-protection requirements, grant merge rights, or request a specific additional review)? If you prefer, I can rebase or make any tiny adjustments required to satisfy branch-protection rules — please let me know the preferred next step. Thanks!

@sophie-cluml
Copy link
Contributor

sophie-cluml commented Jan 28, 2026

@danbi2990 Could you rebase upon main please?

octoaide bot and others added 2 commits January 28, 2026 15:48
@octoaide @danbi2990
Update files via octoaide
8e68879 
 2 files changed, 5 insertions(+)

Automated changes made by octoaide bot.
@danbi2990
Add customer access helpers and tests
a196615 
Closes #761
@danbi2990 danbi2990 force-pushed the octoaide/issue-761-2026-01-12T01-01-36 branch from 4410458 to a196615 Compare January 28, 2026 06:48
@danbi2990
Copy link
Contributor

danbi2990 commented Jan 28, 2026

Rebase completed.

@sehkone sehkone merged commit a92fad6 into main Jan 29, 2026
18 checks passed
@sehkone sehkone deleted the octoaide/issue-761-2026-01-12T01-01-36 branch January 29, 2026 00:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danbi2990 danbi2990 danbi2990 approved these changes

@sophie-cluml sophie-cluml sophie-cluml approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Shared customer-authorization utilities (graphql::auth)

3 participants

@danbi2990 @sophie-cluml @sehkone