Add AllowAnonymous extension method and attribute (graphql-dotnet#3079)

Author: Shane32

docs2/site/docs/migrations/migration5.md

@@ -602,12 +602,13 @@ There are a number of other minor issues fixed; see these links for more details
 - https://github.com/graphql-dotnet/graphql-dotnet/issues/3002
 - https://github.com/graphql-dotnet/graphql-dotnet/pull/3004
 
-### 20. `Authorize` and `AuthorizeWithRoles` extension methods added in GraphQL 5.1.0 and 5.1.1
+### 20. `Authorize`, `AuthorizeWithRoles` and `AllowAnonymous` extension methods added in GraphQL 5.1.0 and 5.1.1
 
-This allows for specifying roles rather than just policies that can be used to validate a request.
+`AuthorizeWithRoles` allows for specifying roles rather than just policies that can be used to validate a request.
 `Authorize` can be used to specify that only authentication is required, without specifying any specific roles or policies.
-As with `AuthorizeWithPolicy` (renamed from `AuthorizeWith`), it requires support by a third-party
-library to perform the validation.
+`AllowAnonymous` typically indicates that anonymous access should be allowed to a field of a graph type requiring authorization,
+providing that no other fields were selected. As with `AuthorizeWithPolicy` (renamed from `AuthorizeWith`), these
+new methods require support by a third-party library to perform the validation.
 
 Similar to the ASP.NET Core `AuthorizeAttribute`, the new `AuthorizeWithRoles` method accepts
 a comma-separated list of role names that would allow access to the graph or field.
@@ -622,6 +623,9 @@ You may also supply a list of strings as in the following example:
 graph.AuthorizeWithRoles("Administrators", "Managers");
 ```
 
+For schema-first and "type-first" graphs, the `[GraphQLAuthorize]` has been updated to support roles and can now
+be used without any policy or role names, and an `[AllowAnonymous]` attribute has been added.
+
 ### 21. `RequestServices` added to `ValidationContext` in GraphQL 5.1.0
 
 This allows for validation rules to access scoped services if necessary.

src/GraphQL.ApiTests/net6/GraphQL.approved.txt

@@ -1,10 +1,20 @@
 namespace GraphQL
 {
+    [System.AttributeUsage(System.AttributeTargets.Method | System.AttributeTargets.Property | System.AttributeTargets.Field)]
+    public class AllowAnonymousAttribute : GraphQL.GraphQLAttribute
+    {
+        public AllowAnonymousAttribute() { }
+        public override void Modify(GraphQL.Utilities.FieldConfig field) { }
+        public override void Modify(GraphQL.Types.FieldType fieldType, bool isInputType) { }
+    }
     public static class AuthorizationExtensions
     {
+        public const string ANONYMOUS_KEY = "Authorization__AllowAnonymous";
         public const string AUTHORIZE_KEY = "Authorization__Required";
         public const string POLICY_KEY = "Authorization__Policies";
         public const string ROLE_KEY = "Authorization__Roles";
+        public static TMetadataProvider AllowAnonymous<TMetadataProvider>(this TMetadataProvider provider)
+            where TMetadataProvider : GraphQL.Types.IProvideMetadata { }
         public static TMetadataProvider Authorize<TMetadataProvider>(this TMetadataProvider provider)
             where TMetadataProvider : GraphQL.Types.IProvideMetadata { }
         [System.Obsolete("Please use AuthorizeWithPolicy instead. Will be removed in v6.")]
@@ -28,6 +38,9 @@ namespace GraphQL
         public static GraphQL.Builders.FieldBuilder<TSourceType, TReturnType> AuthorizeWithRoles<TSourceType, TReturnType>(this GraphQL.Builders.FieldBuilder<TSourceType, TReturnType> builder, params string[] roles) { }
         public static System.Collections.Generic.List<string>? GetPolicies(this GraphQL.Types.IProvideMetadata provider) { }
         public static System.Collections.Generic.List<string>? GetRoles(this GraphQL.Types.IProvideMetadata provider) { }
+        public static bool IsAnonymousAllowed(this GraphQL.Types.IProvideMetadata provider) { }
+        public static bool IsAuthorizationRequired(this GraphQL.Types.IProvideMetadata provider) { }
+        [System.Obsolete("Please use IsAuthorizationRequired. Will be removed in v6.")]
         public static bool RequiresAuthorization(this GraphQL.Types.IProvideMetadata provider) { }
     }
     public class AuthorizeAttribute : GraphQL.GraphQLAttribute

src/GraphQL.ApiTests/netstandard20+netstandard21/GraphQL.approved.txt

@@ -1,10 +1,20 @@
 namespace GraphQL
 {
+    [System.AttributeUsage(System.AttributeTargets.Method | System.AttributeTargets.Property | System.AttributeTargets.Field)]
+    public class AllowAnonymousAttribute : GraphQL.GraphQLAttribute
+    {
+        public AllowAnonymousAttribute() { }
+        public override void Modify(GraphQL.Utilities.FieldConfig field) { }
+        public override void Modify(GraphQL.Types.FieldType fieldType, bool isInputType) { }
+    }
     public static class AuthorizationExtensions
     {
+        public const string ANONYMOUS_KEY = "Authorization__AllowAnonymous";
         public const string AUTHORIZE_KEY = "Authorization__Required";
         public const string POLICY_KEY = "Authorization__Policies";
         public const string ROLE_KEY = "Authorization__Roles";
+        public static TMetadataProvider AllowAnonymous<TMetadataProvider>(this TMetadataProvider provider)
+            where TMetadataProvider : GraphQL.Types.IProvideMetadata { }
         public static TMetadataProvider Authorize<TMetadataProvider>(this TMetadataProvider provider)
             where TMetadataProvider : GraphQL.Types.IProvideMetadata { }
         [System.Obsolete("Please use AuthorizeWithPolicy instead. Will be removed in v6.")]
@@ -28,6 +38,9 @@ namespace GraphQL
         public static GraphQL.Builders.FieldBuilder<TSourceType, TReturnType> AuthorizeWithRoles<TSourceType, TReturnType>(this GraphQL.Builders.FieldBuilder<TSourceType, TReturnType> builder, params string[] roles) { }
         public static System.Collections.Generic.List<string>? GetPolicies(this GraphQL.Types.IProvideMetadata provider) { }
         public static System.Collections.Generic.List<string>? GetRoles(this GraphQL.Types.IProvideMetadata provider) { }
+        public static bool IsAnonymousAllowed(this GraphQL.Types.IProvideMetadata provider) { }
+        public static bool IsAuthorizationRequired(this GraphQL.Types.IProvideMetadata provider) { }
+        [System.Obsolete("Please use IsAuthorizationRequired. Will be removed in v6.")]
         public static bool RequiresAuthorization(this GraphQL.Types.IProvideMetadata provider) { }
     }
     public class AuthorizeAttribute : GraphQL.GraphQLAttribute

src/GraphQL.Tests/AuthorizationTests.cs

@@ -8,9 +8,9 @@ public class AuthorizationTests
     public void Field()
     {
         var field = new FieldType();
-        field.RequiresAuthorization().ShouldBeFalse();
+        field.IsAuthorizationRequired().ShouldBeFalse();
         field.AuthorizeWith("Policy1");
-        field.RequiresAuthorization().ShouldBeTrue();
+        field.IsAuthorizationRequired().ShouldBeTrue();
         field.AuthorizeWith("Policy2");
         field.AuthorizeWith("Policy2");
         field.AuthorizeWithPolicy("Policy3");
@@ -20,7 +20,7 @@ public void Field()
         field.AuthorizeWithRoles("Role1", "Role4");
         field.AuthorizeWithRoles("");
 
-        field.RequiresAuthorization().ShouldBeTrue();
+        field.IsAuthorizationRequired().ShouldBeTrue();
         field.GetPolicies().ShouldBe(new string[] { "Policy1", "Policy2", "Policy3" });
         field.GetRoles().ShouldBe(new string[] { "Role1", "Role2", "Role3", "Role4" });
     }
@@ -33,16 +33,25 @@ public void NoRoles()
         field.AuthorizeWithRoles("");
         field.AuthorizeWithRoles(" ");
         field.AuthorizeWithRoles(",");
-        field.RequiresAuthorization().ShouldBeTrue();
+        field.IsAuthorizationRequired().ShouldBeTrue();
+    }
+
+    [Fact]
+    public void AllowAnonymous()
+    {
+        var field = new FieldType();
+        field.IsAnonymousAllowed().ShouldBeFalse();
+        field.AllowAnonymous();
+        field.IsAnonymousAllowed().ShouldBeTrue();
     }
 
     [Fact]
     public void Authorize()
     {
         var field = new FieldType();
-        field.RequiresAuthorization().ShouldBeFalse();
+        field.IsAuthorizationRequired().ShouldBeFalse();
         field.Authorize();
-        field.RequiresAuthorization().ShouldBeTrue();
+        field.IsAuthorizationRequired().ShouldBeTrue();
     }
 
     [Fact]
@@ -60,7 +69,7 @@ public void FieldBuilder()
             .AuthorizeWithRoles("Role1", "Role4");
 
         var field = graph.Fields.Find("Field");
-        field.RequiresAuthorization().ShouldBeTrue();
+        field.IsAuthorizationRequired().ShouldBeTrue();
         field.GetPolicies().ShouldBe(new string[] { "Policy1", "Policy2", "Policy3" });
         field.GetRoles().ShouldBe(new string[] { "Role1", "Role2", "Role3", "Role4" });
     }
@@ -81,7 +90,7 @@ public void ConnectionBuilder()
             .AuthorizeWithRoles("Role1", "Role4");
 
         var field = graph.Fields.Find("Field");
-        field.RequiresAuthorization().ShouldBeTrue();
+        field.IsAuthorizationRequired().ShouldBeTrue();
         field.GetPolicies().ShouldBe(new string[] { "Policy1", "Policy2", "Policy3" });
         field.GetRoles().ShouldBe(new string[] { "Role1", "Role2", "Role3", "Role4" });
     }
@@ -90,19 +99,26 @@ public void ConnectionBuilder()
     public void AutoOutputGraphType()
     {
         var graph = new AutoRegisteringObjectGraphType<Class1>();
-        graph.RequiresAuthorization().ShouldBeTrue();
+        graph.IsAuthorizationRequired().ShouldBeTrue();
+        graph.IsAnonymousAllowed().ShouldBeFalse();
         graph.GetPolicies().ShouldBe(new string[] { "Policy1", "Policy2", "Policy3" });
         graph.GetRoles().ShouldBe(new string[] { "Role1", "Role2", "Role3" });
 
-        graph.Fields.Find("Id").RequiresAuthorization().ShouldBeFalse();
+        graph.Fields.Find("Id").IsAuthorizationRequired().ShouldBeFalse();
 
         var field = graph.Fields.Find("Name");
-        field.RequiresAuthorization().ShouldBeTrue();
+        field.IsAuthorizationRequired().ShouldBeTrue();
+        field.IsAnonymousAllowed().ShouldBeFalse();
         field.GetPolicies().ShouldBe(new string[] { "Policy1", "Policy2", "Policy3" });
         field.GetRoles().ShouldBe(new string[] { "Role1", "Role2", "Role3" });
 
         field = graph.Fields.Find("Value");
-        field.RequiresAuthorization().ShouldBeTrue();
+        field.IsAuthorizationRequired().ShouldBeTrue();
+        field.IsAnonymousAllowed().ShouldBeFalse();
+
+        field = graph.Fields.Find("Public");
+        field.IsAuthorizationRequired().ShouldBeFalse();
+        field.IsAnonymousAllowed().ShouldBeTrue();
     }
 
     [Fact]
@@ -114,23 +130,31 @@ type Class1 {
   id: String!
   name: String!
   value: String!
+  public: String!
 }",
             configure => configure.Types.Include<Class1>());
 
         var graph = (ObjectGraphType)schema.AllTypes["Class1"];
-        graph.RequiresAuthorization().ShouldBeTrue();
+        graph.IsAuthorizationRequired().ShouldBeTrue();
+        graph.IsAnonymousAllowed().ShouldBeFalse();
         graph.GetPolicies().ShouldBe(new string[] { "Policy1", "Policy2", "Policy3" });
         graph.GetRoles().ShouldBe(new string[] { "Role1", "Role2", "Role3" });
 
-        graph.Fields.Find("id").RequiresAuthorization().ShouldBeFalse();
+        graph.Fields.Find("id").IsAuthorizationRequired().ShouldBeFalse();
 
         var field = graph.Fields.Find("name");
-        field.RequiresAuthorization().ShouldBeTrue();
+        field.IsAuthorizationRequired().ShouldBeTrue();
+        field.IsAnonymousAllowed().ShouldBeFalse();
         field.GetPolicies().ShouldBe(new string[] { "Policy1", "Policy2", "Policy3" });
         field.GetRoles().ShouldBe(new string[] { "Role1", "Role2", "Role3" });
 
         field = graph.Fields.Find("value");
-        field.RequiresAuthorization().ShouldBeTrue();
+        field.IsAuthorizationRequired().ShouldBeTrue();
+        field.IsAnonymousAllowed().ShouldBeFalse();
+
+        field = graph.Fields.Find("public");
+        field.IsAuthorizationRequired().ShouldBeFalse();
+        field.IsAnonymousAllowed().ShouldBeTrue();
     }
 
     [Authorize("Policy1")]
@@ -151,5 +175,7 @@ private class Class1
         public string Name { get; set; }
         [Authorize]
         public string Value { get; set; }
+        [AllowAnonymous]
+        public string Public { get; set; }
     }
 }

src/GraphQL/Authorization/AllowAnonymousAttribute.cs

@@ -0,0 +1,24 @@
+using GraphQL.Types;
+using GraphQL.Utilities;
+
+namespace GraphQL;
+
+/// <summary>
+/// Attribute to typically indicate that anonymous access should be allowed to a field of a graph type
+/// requiring authorization, providing that no other fields were selected.
+/// </summary>
+[AttributeUsage(AttributeTargets.Property | AttributeTargets.Method | AttributeTargets.Field)]
+public class AllowAnonymousAttribute : GraphQLAttribute
+{
+    /// <inheritdoc />
+    public override void Modify(FieldConfig field)
+    {
+        field.AllowAnonymous();
+    }
+
+    /// <inheritdoc />
+    public override void Modify(FieldType fieldType, bool isInputType)
+    {
+        fieldType.AllowAnonymous();
+    }
+}

src/GraphQL/Authorization/AuthorizationExtensions.cs

@@ -26,6 +26,12 @@ public static class AuthorizationExtensions
         /// </summary>
         public const string AUTHORIZE_KEY = "Authorization__Required";
 
+        /// <summary>
+        /// Metadata key name for typically indicating if anonymous access should be allowed to a field of a graph type
+        /// requiring authorization, providing that no other fields were selected.
+        /// </summary>
+        public const string ANONYMOUS_KEY = "Authorization__AllowAnonymous";
+
         /// <summary>
         /// Gets a list of authorization policy names for the specified metadata provider if any.
         /// Otherwise returns <see langword="null"/>.
@@ -48,6 +54,23 @@ public static class AuthorizationExtensions
         /// <returns> List of authorization role names applied to this metadata provider. </returns>
         public static List<string>? GetRoles(this IProvideMetadata provider) => provider.GetMetadata<List<string>>(ROLE_KEY);
 
+        /// <summary>
+        /// Returns a boolean typically indicating if anonymous access should be allowed to a field of a graph type
+        /// requiring authorization, providing that no other fields were selected.
+        /// </summary>
+        public static bool IsAnonymousAllowed(this IProvideMetadata provider) => provider.GetMetadata(ANONYMOUS_KEY, false);
+
+        /// <summary>
+        /// Adds metadata to typically indicate that anonymous access should be allowed to a field of a graph type
+        /// requiring authorization, providing that no other fields were selected.
+        /// </summary>
+        public static TMetadataProvider AllowAnonymous<TMetadataProvider>(this TMetadataProvider provider)
+            where TMetadataProvider : IProvideMetadata
+        {
+            provider.Metadata[ANONYMOUS_KEY] = true;
+            return provider;
+        }
+
         /// <summary>
         /// Gets a boolean value that determines whether any authorization policy is applied to this metadata provider.
         /// </summary>
@@ -56,9 +79,14 @@ public static class AuthorizationExtensions
         /// <see cref="FieldType"/>, <see cref="Schema"/> or others.
         /// </param>
         /// <returns> <c>true</c> if any authorization policy is applied, otherwise <c>false</c>. </returns>
-        public static bool RequiresAuthorization(this IProvideMetadata provider)
+        public static bool IsAuthorizationRequired(this IProvideMetadata provider)
             => provider.GetMetadata(AUTHORIZE_KEY, false) || GetPolicies(provider)?.Count > 0 || GetRoles(provider)?.Count > 0;
 
+        /// <inheritdoc cref="IsAuthorizationRequired(IProvideMetadata)"/>
+        [Obsolete("Please use IsAuthorizationRequired. Will be removed in v6.")]
+        public static bool RequiresAuthorization(this IProvideMetadata provider)
+            => provider.IsAuthorizationRequired();
+
         /// <summary>
         /// Adds metadata to indicate that the resource requires that the user has successfully authenticated.
         /// </summary>