Merge pull request #3 from matthewsullivan/feature/use-token-in-request-header

Feature/use request authorization header

Author: matthewsullivan

app/controllers/graphql_controller.rb

@@ -5,8 +5,7 @@ def execute
     variables = prepare_variables(params[:variables])
     query = params[:query]
     operation_name = params[:operationName]
-    token = variables&.dig(:input, :arguments, :token)
-    context = { current_user: current_user(token) }
+    context = { current_user: current_user }
     result = RubyJwtPostgresAuthSchema.execute(
       query,
       variables: variables,
@@ -22,8 +21,9 @@ def execute
 
   private
 
-  def current_user(token)
-    return unless token
+  def current_user
+    token = request.headers['Authorization']&.split(' ')&.last
+    return if token.blank?
 
     JwtHelper.logged_in_user(token)
   end

app/graph/user/mutations/update_user.rb

@@ -10,7 +10,7 @@ def resolve(arguments:)
       current_user = context[:current_user]
       raise StandardError unless current_user
 
-      current_user.update!(arguments.to_hash.except!(:token))
+      current_user.update!(arguments.to_hash)
       { user: current_user }
     rescue ActiveRecord::RecordInvalid => e
       GraphQL::ExecutionError.new("Invalid input: #{e.record.errors.full_messages.join(', ')}")

app/graph/user/types/input/fetch_user.rb

@@ -5,6 +5,5 @@ class FetchUser < Base::Types::BaseInputObject
     description 'Input for fetching a user'
 
     argument :id, String, required: true
-    argument :token, String, required: true
   end
 end

app/graph/user/types/input/update_user.rb

@@ -8,6 +8,5 @@ class UpdateUser < Base::Types::BaseInputObject
     argument :first_name, String, required: false
     argument :last_name, String, required: false
     argument :password, String, required: false
-    argument :token, String, required: true
   end
 end

test/graph/mutations/update_user_test.rb

@@ -20,19 +20,19 @@ def perform(args = {})
           }
         }
       GRAPHQL
-      post '/graph', params: { query: query, variables: args }
+      post '/graph', params: { query: query, variables: args }, headers: { 'HTTP_AUTHORIZATION' => "Bearer: #{@token}" }
       JSON.parse(@response.body)
     end
 
     test 'should not update without valid token' do
       parameters = {
         input: {
           arguments: {
-            email: 'janedoe@localhost.com',
-            token: ''
+            email: 'janedoe@localhost.com'
           }
         }
       }
+      @token = ''
       result = perform(parameters)
 
       assert_equal('Must be logged in to access requested resource', result['errors'][0]['message'])
@@ -45,8 +45,7 @@ def perform(args = {})
             firstName: 'Jonathan',
             lastName: 'D.',
             email: 'jonathandoe@localhost.com',
-            password: '!a1B2c3D4e5F6g!',
-            token: @token
+            password: '!a1B2c3D4e5F6g!'
           }
         }
       }
@@ -62,8 +61,7 @@ def perform(args = {})
       parameters = {
         input: {
           arguments: {
-            firstName: '',
-            token: @token
+            firstName: ''
           }
         }
       }
@@ -76,8 +74,7 @@ def perform(args = {})
       parameters = {
         input: {
           arguments: {
-            lastName: '',
-            token: @token
+            lastName: ''
           }
         }
       }
@@ -90,8 +87,7 @@ def perform(args = {})
       parameters = {
         input: {
           arguments: {
-            email: '',
-            token: @token
+            email: ''
           }
         }
       }
@@ -104,8 +100,7 @@ def perform(args = {})
       parameters = {
         input: {
           arguments: {
-            email: 'janedoe@localhost.com',
-            token: @token
+            email: 'janedoe@localhost.com'
           }
         }
       }

test/graph/queries/fetch_user_test.rb

@@ -20,7 +20,7 @@ def perform(args = {})
           }
         }
       GRAPHQL
-      post '/graph', params: { query: query, variables: args }
+      post '/graph', params: { query: query, variables: args }, headers: { 'HTTP_AUTHORIZATION' => "Bearer: #{@token}" }
       JSON.parse(@response.body)
     end
 
@@ -30,8 +30,7 @@ def perform(args = {})
       parameters = {
         input: {
           arguments: {
-            id: encoded_id,
-            token: @token
+            id: encoded_id
           }
         }
       }
@@ -47,11 +46,11 @@ def perform(args = {})
       parameters = {
         input: {
           arguments: {
-            id: 'A1b2C3d4',
-            token: ''
+            id: 'A1b2C3d4'
           }
         }
       }
+      @token = ''
       result = perform(parameters)
 
       assert_equal('Must be logged in to access requested resource', result['errors'][0]['message'])
@@ -61,8 +60,7 @@ def perform(args = {})
       parameters = {
         input: {
           arguments: {
-            id: '124',
-            token: @token
+            id: 'A1b2C3d4'
           }
         }
       }