Authorization Refinements (ChilliCream#6107)

src/HotChocolate/AspNetCore/test/AspNetCore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_DefaultPolicy.graphql

@@ -3,7 +3,7 @@ schema {
 }
 
 type Query {
-  foo: String @authorize(apply: BEFORE_RESOLVER)
+  foo: String @authorize
 }
 
 enum ApplyPolicy {
@@ -12,4 +12,4 @@ enum ApplyPolicy {
   VALIDATION
 }
 
-directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = VALIDATION) repeatable on OBJECT | FIELD_DEFINITION
+directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION

src/HotChocolate/AspNetCore/test/AspNetCore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_DefaultPolicy_AfterResolver.graphql

@@ -12,4 +12,4 @@ enum ApplyPolicy {
   VALIDATION
 }
 
-directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = VALIDATION) repeatable on OBJECT | FIELD_DEFINITION
+directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION

src/HotChocolate/AspNetCore/test/AspNetCore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_DefaultPolicy_BeforeResolver.graphql

@@ -3,7 +3,7 @@ schema {
 }
 
 type Query {
-  foo: String @authorize(apply: BEFORE_RESOLVER)
+  foo: String @authorize
 }
 
 enum ApplyPolicy {
@@ -12,4 +12,4 @@ enum ApplyPolicy {
   VALIDATION
 }
 
-directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = VALIDATION) repeatable on OBJECT | FIELD_DEFINITION
+directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION

src/HotChocolate/AspNetCore/test/AspNetCore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_DefaultPolicy_Validation.graphql

@@ -3,7 +3,7 @@ schema {
 }
 
 type Query {
-  foo: String @authorize
+  foo: String @authorize(apply: VALIDATION)
 }
 
 enum ApplyPolicy {
@@ -12,4 +12,4 @@ enum ApplyPolicy {
   VALIDATION
 }
 
-directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = VALIDATION) repeatable on OBJECT | FIELD_DEFINITION
+directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION

src/HotChocolate/AspNetCore/test/AspNetCore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_WithPolicy.graphql

@@ -3,7 +3,7 @@ schema {
 }
 
 type Query {
-  foo: String @authorize(policy: "MyPolicy", apply: BEFORE_RESOLVER)
+  foo: String @authorize(policy: "MyPolicy")
 }
 
 enum ApplyPolicy {
@@ -12,4 +12,4 @@ enum ApplyPolicy {
   VALIDATION
 }
 
-directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = VALIDATION) repeatable on OBJECT | FIELD_DEFINITION
+directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION

src/HotChocolate/AspNetCore/test/AspNetCore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_WithPolicy_AfterResolver.graphql

@@ -12,4 +12,4 @@ enum ApplyPolicy {
   VALIDATION
 }
 
-directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = VALIDATION) repeatable on OBJECT | FIELD_DEFINITION
+directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION

src/HotChocolate/AspNetCore/test/AspNetCore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_WithPolicy_BeforeResolver.graphql

@@ -3,7 +3,7 @@ schema {
 }
 
 type Query {
-  foo: String @authorize(policy: "MyPolicy", apply: BEFORE_RESOLVER)
+  foo: String @authorize(policy: "MyPolicy")
 }
 
 enum ApplyPolicy {
@@ -12,4 +12,4 @@ enum ApplyPolicy {
   VALIDATION
 }
 
-directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = VALIDATION) repeatable on OBJECT | FIELD_DEFINITION
+directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION

src/HotChocolate/AspNetCore/test/AspNetCore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_WithPolicy_Validation.graphql

@@ -3,7 +3,7 @@ schema {
 }
 
 type Query {
-  foo: String @authorize(policy: "MyPolicy")
+  foo: String @authorize(policy: "MyPolicy", apply: VALIDATION)
 }
 
 enum ApplyPolicy {
@@ -12,4 +12,4 @@ enum ApplyPolicy {
   VALIDATION
 }
 
-directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = VALIDATION) repeatable on OBJECT | FIELD_DEFINITION
+directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION

src/HotChocolate/AspNetCore/test/AspNetCore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_WithRoles.graphql

@@ -12,4 +12,4 @@ enum ApplyPolicy {
   VALIDATION
 }
 
-directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = VALIDATION) repeatable on OBJECT | FIELD_DEFINITION
+directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION

src/HotChocolate/AspNetCore/test/AspNetCore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.TypeAuth_DefaultPolicy.graphql

@@ -2,7 +2,7 @@ schema {
   query: Query
 }
 
-type Query @authorize(apply: BEFORE_RESOLVER) {
+type Query @authorize {
   foo: String
 }
 
@@ -12,4 +12,4 @@ enum ApplyPolicy {
   VALIDATION
 }
 
-directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = VALIDATION) repeatable on OBJECT | FIELD_DEFINITION
+directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION

src/HotChocolate/AspNetCore/test/AspNetCore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.TypeAuth_WithPolicy.graphql

@@ -2,7 +2,7 @@ schema {
   query: Query
 }
 
-type Query @authorize(policy: "MyPolicy", apply: BEFORE_RESOLVER) {
+type Query @authorize(policy: "MyPolicy") {
   foo: String
 }
 
@@ -12,4 +12,4 @@ enum ApplyPolicy {
   VALIDATION
 }
 
-directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = VALIDATION) repeatable on OBJECT | FIELD_DEFINITION
+directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION

src/HotChocolate/AspNetCore/test/AspNetCore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.TypeAuth_WithRoles.graphql

@@ -12,4 +12,4 @@ enum ApplyPolicy {
   VALIDATION
 }
 
-directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = VALIDATION) repeatable on OBJECT | FIELD_DEFINITION
+directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION

src/HotChocolate/AspNetCore/test/AspNetCore.Authorization.Tests/__snapshots__/AuthorizeSchemaTests.AuthorizeOnExtension.snap

@@ -1,5 +1,19 @@
 {
-  "data": {
-    "bar": "bar"
-  }
+  "errors": [
+    {
+      "message": "The current user is not authorized to access this resource.",
+      "locations": [
+        {
+          "line": 1,
+          "column": 3
+        }
+      ],
+      "path": [
+        "bar"
+      ],
+      "extensions": {
+        "code": "AUTH_NOT_AUTHORIZED"
+      }
+    }
+  ]
 }

src/HotChocolate/Core/src/Abstractions/WellKnownMiddleware.cs

@@ -82,12 +82,12 @@ public static class WellKnownMiddleware
     public const string MutationErrorNull = "HotChocolate.Types.Mutations.Errors.Null";
 
     /// <summary>
-    ///The key identifies the mutation result middleware.
+    /// The key identifies the mutation result middleware.
     /// </summary>
     public const string MutationResult = "HotChocolate.Types.Mutations.Result";
 
     /// <summary>
-    ///The key identifies the authorization middleware.
+    /// The key identifies the authorization middleware.
     /// </summary>
     public const string Authorization = "HotChocolate.Authorization";
 }

src/HotChocolate/Core/src/Authorization/AuthorizationOptions.cs

@@ -8,12 +8,6 @@ namespace HotChocolate.Authorization;
 /// </summary>
 public class AuthorizationOptions
 {
-    /// <summary>
-    /// Gets or sets a delegate that can be used to prevent authorization
-    /// directives from being applied to the node field.
-    /// </summary>
-    public Func<AuthorizeDirective, bool> SkipNodeFields { get; set; } = _ => false;
-
     /// <summary>
     /// Gets or sets a hook that can be used to apply authorization
     /// policies to the node and nodes field.