Merge pull request rmosolgo#965 from rmosolgo/pro-156

Release graphql-pro 1.5.6

Author: Robert Mosolgo

CHANGELOG-pro.md

@@ -8,8 +8,22 @@
 
 ### Bug Fix
 
+## 1.5.6 (19 Sept 2017)
+
+### New Features
+
+- Add `authorization(..., operation_store:)` option for authorizing operation store requests
+
+## 1.5.5 (18 Sept 2017)
+
+### New Features
+
+- Support `ConnectionType.bidrectional_pagination?` in stable RelationConnection
+
 ## 1.5.4 (18 Sept 2017)
 
+### Bug Fix
+
 - Fix load issue when Rails is not present
 
 ## 1.5.3 (4 Sept 2017)

guides/javascript_client/apollo_subscriptions.md

@@ -43,4 +43,4 @@ var OperationStoreClient = require("./OperationStoreClient")
 RailsNetworkInterface.use([OperationStoreClient.apolloMiddleware])
 ```
 
-See the Subscriptions guide for information about server-side setup.
+See the {% internal_link "Subscriptions guide", "/subscriptions/overview" %} for information about server-side setup.

guides/javascript_client/relay_subscriptions.md

@@ -31,4 +31,4 @@ var subscriptionHandler = createHandler({
 var network = Network.create(fetchQuery, subscriptionHandler)
 ```
 
-See the Subscriptions guide for information about server-side setup.
+See the {% internal_link "Subscriptions guide", "/subscriptions/overview" %} for information about server-side setup.

guides/javascript_client/sync.md

@@ -15,7 +15,7 @@ JavaScript support for GraphQL projects using [graphql-pro](http://graphql.pro)'
 - [Plain JS support](#use-with-plain-javascript)
 - [Authorization](#authorization)
 
-See the [server-side docs on http://graphql-ruby.org](http://graphql-ruby.org/operation_store/overview)
+See the {% internal_link "OperationStore guide", "/operation_store/overview" %} for server-side setup.
 
 ## `sync` utility
 
@@ -36,10 +36,10 @@ Generating client module in app/javascript/graphql/OperationStoreClient.js...
 
 option | description
 --------|----------
-`--url` | [Sync API](http://graphql-ruby.org/operation_store/getting_started.html#add-routes) url
+`--url` | {% internal_link "Sync API", "/operation_store/getting_started.html#add-routes" %} url
 `--path` | Local directory to search for `.graphql` / `.graphql.js` files
-`--client` | Client ID ([created on server](http://graphql-ruby.org/operation_store/client_workflow))
-`--secret` | Client Secret ([created on server](http://graphql-ruby.org/operation_store/client_workflow))
+`--client` | Client ID ({% internal_link "created on server", "/operation_store/client_workflow" %})
+`--secret` | Client Secret ({% internal_link "created on server", "/operation_store/client_workflow" %})
 `--outfile` | Destination for generated JS code
 
 You can see these and a few others with `graphql-ruby-client sync --help`.
@@ -140,7 +140,7 @@ $.post("/graphql", {
 
 ## Authorization
 
-`OperationStore` uses HMAC-SHA256 to [authenticate requests](http://graphql-ruby.org/operation_store/authentication).
+`OperationStore` uses HMAC-SHA256 to {% internal_link "authenticate requests" , "/operation_store/access_control" %}.
 
 Pass the key to `graphql-ruby-client sync` as `--secret` to authenticate it:
 

guides/operation_store/access_control.md

@@ -0,0 +1,71 @@
+---
+layout: guide
+search: true
+section: GraphQL Pro - OperationStore
+title: Access Control
+desc: Manage authentication & visibility for your OperationStore server.
+index: 4
+---
+
+There are two considerations for incoming `sync` requests:
+
+- __Authentication__: is this request coming from a legitimate source?
+- __Authorization__: does this source have permission to save these queries?
+
+## Authentication
+
+When you [add a client]({{ site.base_url }}/operation_store/client_workflow#add-a-client), you also associate a _secret_ with that client. You can use the default or provide your own and you can update a client secret at any time. By updating a secret, old secrets become invalid.
+
+This secret is used to add an authorization header, generated with HMAC-SHA256. With this header, the server can assert:
+
+- The request came from an authorized client
+- The request was not corrupted in transit
+
+For more info about HMAC, see [Wikipedia](https://en.wikipedia.org/wiki/Hash-based_message_authentication_code) or Ruby's [OpenSSL::HMAC](https://ruby-doc.org/stdlib-2.4.0/libdoc/openssl/rdoc/OpenSSL/HMAC.html) support.
+
+The Authorization header takes the form:
+
+```ruby
+"GraphQL::Pro #{client_name} #{hmac}"
+```
+
+[`graphql-ruby-client`](http://github.com/rmosolgo/graphql-ruby-client) adds this header to outgoing requests by using the provided `--client` and `--secret` values.
+
+## Authorization
+
+Incoming operations are validated. If you're using `GraphQL::Pro`'s {% internal_link "visibility authorization", "/pro/authorization#visibility-authorization" %}, you must determine whether the current client can _see_ the types and fields which are used in the operation.
+
+You can implement authorization for incoming queries with the `authorize(..., operation_store:)` option, which accepts a {% internal_link "auth strategy class", "/pro/authorization#custom-authorization-strategy" %}, for example:
+
+```ruby
+authorize(:pundit, operation_store: OperationStoreStrategy)
+# Or:
+authorize(MyAuthStrategy, operation_store: OperationStoreStrategy)
+```
+
+This strategy class is used _only_ for incoming persisted operations. The strategy class may use `ctx[:current_client_name]`, which is added by the OperationStore.
+
+Here's an example strategy class which allows `"stafftools"` apps to use `view: :admin` fields, but hides those fields from everyone else:
+
+```ruby
+class OperationStoreStrategy
+  def initialize(ctx)
+    @client_name = ctx[:current_client_name]
+  end
+
+  # Only stafftools apps can save queries with `:admin` fields
+  # Anyone can save queries with `:public` fields.
+  def allowed?(gate, _obj)
+    case gate.role
+    when :admin
+      @client_name == "stafftools"
+    when :public
+      true
+    else
+      raise "Unexpected auth role: #{gate.role}"
+    end
+  end
+end
+```
+
+If you don't specify a strategy, the default is to fail all `view:` checks. This way, private fields are _not_ disclosed via OperationStore requests.

guides/operation_store/authentication.md

@@ -22,7 +22,7 @@ Clients are registered via {% internal_link "the UI","/operation_store/getting_s
 
 {{ "/operation_store/add_a_client.png" | link_to_img:"Add a Client for Persisted Queries" }}
 
-A default `secret` is provided for you, but you can also enter your own. The `secret` is used for {% internal_link "HMAC authentication", "/operation_store/authentication" %}.
+A default `secret` is provided for you, but you can also enter your own. The `secret` is used for {% internal_link "HMAC authentication", "/operation_store/access_control" %}.
 
 (Are you interested in a Ruby API for this? Please {% open_an_issue "OperationStore Ruby API" %} or email `[email protected]`.)
 
@@ -35,7 +35,7 @@ The easiest way to sync is with `graphql-ruby-client sync`, a command-line tool
 In short, it:
 
 - Finds GraphQL queries from `.graphql` files or `relay-compiler` output in the provided `--path`
-- Adds an {% internal_link "Authentication header","/operation_store/authentication" %} based on the provided `--client` and `--secret`
+- Adds an {% internal_link "Authentication header","/operation_store/access_control" %} based on the provided `--client` and `--secret`
 - Sends the operations to the provided `--url`
 - Generates a JavaScript module into the provided `--outfile`
 
@@ -68,4 +68,4 @@ The server will use those values to fetch an operation from the database.
 
 #### Next Steps
 
-Learn more about `OperationStore`'s {% internal_link "authentication", "/operation_store/authentication" %} or read some tips for {% internal_link "server management","/operation_store/server_management" %}.
+Learn more about `OperationStore`'s {% internal_link "authentication", "/operation_store/access_control" %} or read some tips for {% internal_link "server management","/operation_store/server_management" %}.

guides/operation_store/client_workflow.md

@@ -19,7 +19,7 @@ In other guides, you can read more about:
 
 - {% internal_link "Getting Started","/operation_store/getting_started" %} installing `OperationStore` in your app
 - {% internal_link "Workflow","/operation_store/client_workflow" %} and usage for client apps
-- {% internal_link "Authentication","/operation_store/authentication" %} for the sync API
+- {% internal_link "Authentication","/operation_store/access_control" %} for the sync API
 - {% internal_link "Server Management","/operation_store/server_management" %} after your system is running
 
 ### What are Persisted Queries?
@@ -101,7 +101,7 @@ Persisted queries improve _visibility_ because you can track GraphQL usage from
 
 `OperationStore` uses tables in your database to store normalized, deduplicated GraphQL strings. The database is immutable: new operations may be added, but operations are never modified or removed.
 
-When clients {% internal_link "sync their operations","/operation_store/client_workflow" %}, requests are {% internal_link "authenticated","/operation_store/authentication" %}, then the incoming GraphQL is validated, normalized, and added to the database if needed. Also, the incoming client name is associated with all operations in the payload.
+When clients {% internal_link "sync their operations","/operation_store/client_workflow" %}, requests are {% internal_link "authenticated","/operation_store/access_control" %}, then the incoming GraphQL is validated, normalized, and added to the database if needed. Also, the incoming client name is associated with all operations in the payload.
 
 Then, at runtime, clients send an _operation ID_ to run a persisted query. It looks like this in `params`:
 

guides/operation_store/overview.md

@@ -335,11 +335,7 @@ You can provide custom authorization logic by providing a class:
 
 ```ruby
 MySchema = GraphQL::Schema.define do
-  # choose one:
-  authorization(:pundit)
-  # or:
-  authorization(:cancan)
-  # or:
+  # Custom authorization strategy class:
   authorization(MyAuthStrategy)
 end
 ```

guides/pro/authorization.md

@@ -0,0 +1 @@
+8657b73725fe9390deeaf37f5d6a902cbd2939f8039a9ef0e96d3a7000ab5f835023aa323dad399ef8a00c8686dca5397295b8aadaa9367105976720c9dc9e61

guides/pro/checksums/graphql-pro-1.5.5.txt

@@ -0,0 +1 @@
+928afc8c4526b1869a9e88b2e62115a97d9a062e5bc36a3393a85d887a038da293a08e9baa828d6121a1d0a03974aff7b91bed7cb38d30ebe5dbb5e3e8f96cf7