Dont install peer dependencies automatically with npm in Docker (#412)

Co-authored-by: theguild-bot <[email protected]>

.changeset/yellow-peas-relax.md

@@ -0,0 +1,5 @@
+---
+'@graphql-hive/gateway': patch
+---
+
+Dont install peer dependencies automatically with npm in Docker

.github/workflows/examples.yml

@@ -45,6 +45,7 @@ jobs:
           - programmatic-batching
           - subscriptions-with-transforms
           - type-merging-batching
+          - operation-field-permissions
     name: Convert ${{matrix.e2e}}
     runs-on: ubuntu-latest
     steps:

docker-bake.hcl

@@ -21,27 +21,50 @@ target "gateway" {
   ]
 }
 
+target "gateway_bun" {
+  context = "packages/gateway"
+  dockerfile = "bun.Dockerfile"
+  platforms = ["linux/amd64", "linux/arm64"]
+  tags = formatlist("ghcr.io/graphql-hive/gateway:%s-bun", split(",", GATEWAY_TAGS))
+  annotations = [
+    "index:org.opencontainers.image.title=Hive Gateway on Bun",
+    "index:org.opencontainers.image.description=GraphQL Gateway by The Guild that can act as a Apollo Federation Gateway or a Proxy Gateway for any GraphQL service.",
+    "index:org.opencontainers.image.authors=The Guild",
+    "index:org.opencontainers.image.licenses=MIT",
+    "index:org.opencontainers.image.source=https://github.com/graphql-hive/gateway/tree/main/packages/gateway",
+    "index:org.opencontainers.image.documentation=https://the-guild.dev/graphql/hive/docs/gateway/deployment/docker"
+  ]
+}
+
 //
 
 group "e2e" {
-  targets = ["gateway_e2e", "gateway_e2e_openapi-javascript-wiki"]
+  targets = [
+    "gateway_e2e",
+    "gateway_e2e_openapi-javascript-wiki",
+    "gateway_e2e_operation-field-permissions"
+  ]
 }
 
 group "e2e_bun" {
-  targets = ["gateway_e2e_bun",  "gateway_e2e_openapi-javascript-wiki_bun"]
+  targets = [
+    "gateway_e2e_bun",
+    "gateway_e2e_openapi-javascript-wiki_bun",
+    "gateway_e2e_operation-field-permissions_bun"
+  ]
 }
 
 target "gateway_e2e" {
   context = "packages/gateway"
   dockerfile = "node.Dockerfile"
   tags = ["ghcr.io/graphql-hive/gateway:e2e"]
 }
-
 target "gateway_e2e_bun" {
   context = "packages/gateway"
   dockerfile = "bun.Dockerfile"
   tags = ["ghcr.io/graphql-hive/gateway:e2e-bun"]
 }
+
 target "gateway_e2e_openapi-javascript-wiki" {
   context = "e2e/openapi-javascript-wiki"
   dockerfile = "gateway.Dockerfile"
@@ -50,7 +73,6 @@ target "gateway_e2e_openapi-javascript-wiki" {
     "gateway_e2e": "target:gateway_e2e"
   }
 }
-
 target "gateway_e2e_openapi-javascript-wiki_bun" {
   context = "e2e/openapi-javascript-wiki"
   dockerfile = "gateway_bun.Dockerfile"
@@ -60,17 +82,19 @@ target "gateway_e2e_openapi-javascript-wiki_bun" {
   }
 }
 
-target "gateway_bun" {
-  context = "packages/gateway"
-  dockerfile = "bun.Dockerfile"
-  platforms = ["linux/amd64", "linux/arm64"]
-  tags = formatlist("ghcr.io/graphql-hive/gateway:%s-bun", split(",", GATEWAY_TAGS))
-  annotations = [
-    "index:org.opencontainers.image.title=Hive Gateway on Bun",
-    "index:org.opencontainers.image.description=GraphQL Gateway by The Guild that can act as a Apollo Federation Gateway or a Proxy Gateway for any GraphQL service.",
-    "index:org.opencontainers.image.authors=The Guild",
-    "index:org.opencontainers.image.licenses=MIT",
-    "index:org.opencontainers.image.source=https://github.com/graphql-hive/gateway/tree/main/packages/gateway",
-    "index:org.opencontainers.image.documentation=https://the-guild.dev/graphql/hive/docs/gateway/deployment/docker"
-  ]
-}
+target "gateway_e2e_operation-field-permissions" {
+  context = "e2e/operation-field-permissions"
+  dockerfile = "gateway.Dockerfile"
+  tags = ["ghcr.io/graphql-hive/gateway:e2e.operation-field-permissions"]
+  contexts = {
+    "gateway_e2e": "target:gateway_e2e"
+  }
+}
+target "gateway_e2e_operation-field-permissions_bun" {
+  context = "e2e/operation-field-permissions"
+  dockerfile = "gateway_bun.Dockerfile"
+  tags = ["ghcr.io/graphql-hive/gateway:e2e.operation-field-permissions-bun"]
+  contexts = {
+    "gateway_e2e_bun": "target:gateway_e2e_bun"
+  }
+}

e2e/openapi-subgraph/openapi-subgraph.e2e.ts

@@ -1,4 +1,4 @@
-import { createTenv, Service } from '@internal/e2e';
+import { createTenv, dockerHostName, Service } from '@internal/e2e';
 import { beforeAll, describe, expect, it } from 'vitest';
 
 describe('openapi-subgraph', () => {
@@ -10,7 +10,7 @@ describe('openapi-subgraph', () => {
     GQLService = await service('GQL');
   });
   function replaceDockerHostNamesBack(sdl?: string) {
-    return sdl?.replaceAll('172.17.0.1', 'localhost');
+    return sdl?.replaceAll(dockerHostName, 'localhost');
   }
   it('exposes the SDL correctly', async () => {
     const { result, output } = await composeWithMesh({

e2e/operation-field-permissions/gateway.Dockerfile

@@ -0,0 +1,3 @@
+FROM gateway_e2e
+
+RUN npm i @envelop/operation-field-permissions

e2e/operation-field-permissions/gateway.config.ts

@@ -0,0 +1,21 @@
+import { useOperationFieldPermissions } from '@envelop/operation-field-permissions';
+import { defineConfig, GatewayContext } from '@graphql-hive/gateway';
+
+export const gatewayConfig = defineConfig({
+  plugins: () => [
+    useOperationFieldPermissions({
+      getPermissions(ctx: GatewayContext) {
+        const auth = ctx.request.headers.get('authorization');
+        if (
+          auth ===
+          'Bearer TOKEN' /** NOTE: proper token validity check goes here */
+        ) {
+          // allow all fields
+          return new Set(['*']);
+        }
+        // allow only introspection
+        return new Set(['Query.registrationOpen']);
+      },
+    }) as any, // TODO: fix generic in envelop
+  ],
+});

e2e/operation-field-permissions/gateway_bun.Dockerfile

@@ -0,0 +1,3 @@
+FROM gateway_e2e_bun
+
+RUN bun i @envelop/operation-field-permissions

e2e/operation-field-permissions/mesh.config.ts

@@ -0,0 +1,17 @@
+import {
+  defineConfig,
+  loadGraphQLHTTPSubgraph,
+} from '@graphql-mesh/compose-cli';
+import { Opts } from '@internal/testing';
+
+const opts = Opts(process.argv);
+
+export const composeConfig = defineConfig({
+  subgraphs: [
+    {
+      sourceHandler: loadGraphQLHTTPSubgraph('users', {
+        endpoint: `http://localhost:${opts.getServicePort('users')}/graphql`,
+      }),
+    },
+  ],
+});

e2e/operation-field-permissions/operation-field-permissions.e2e.ts

@@ -0,0 +1,100 @@
+import { createTenv } from '@internal/e2e';
+import { expect, it } from 'vitest';
+
+const { gateway, service } = createTenv(__dirname);
+
+it('should allow checking registration but disallow "me" when not authenticated', async () => {
+  const { execute } = await gateway({
+    supergraph: {
+      with: 'mesh',
+      services: [await service('users')],
+    },
+  });
+
+  await expect(
+    execute({
+      query: /* GraphQL */ `
+        {
+          registrationOpen
+        }
+      `,
+    }),
+  ).resolves.toMatchInlineSnapshot(`
+    {
+      "data": {
+        "registrationOpen": false,
+      },
+    }
+  `);
+
+  await expect(
+    execute({
+      query: /* GraphQL */ `
+        {
+          me {
+            name
+          }
+        }
+      `,
+    }),
+  ).resolves.toMatchInlineSnapshot(`
+    {
+      "data": null,
+      "errors": [
+        {
+          "locations": [
+            {
+              "column": 11,
+              "line": 3,
+            },
+          ],
+          "message": "Insufficient permissions for selecting 'Query.me'.",
+        },
+        {
+          "locations": [
+            {
+              "column": 13,
+              "line": 4,
+            },
+          ],
+          "message": "Insufficient permissions for selecting 'User.name'.",
+        },
+      ],
+    }
+  `);
+});
+
+it('should allow "me" when authenticated', async () => {
+  const { execute } = await gateway({
+    supergraph: {
+      with: 'mesh',
+      services: [await service('users')],
+    },
+    pipeLogs: 'gw.log',
+  });
+
+  await expect(
+    execute({
+      query: /* GraphQL */ `
+        {
+          registrationOpen
+          me {
+            name
+          }
+        }
+      `,
+      headers: {
+        authorization: 'Bearer TOKEN',
+      },
+    }),
+  ).resolves.toMatchInlineSnapshot(`
+    {
+      "data": {
+        "me": {
+          "name": "John",
+        },
+        "registrationOpen": false,
+      },
+    }
+  `);
+});

e2e/operation-field-permissions/package.json

@@ -0,0 +1,10 @@
+{
+  "name": "@e2e/operation-field-permissions",
+  "private": true,
+  "dependencies": {
+    "@envelop/core": "^5.0.2",
+    "@envelop/operation-field-permissions": "^6.0.0",
+    "@graphql-mesh/compose-cli": "^1.2.13",
+    "graphql": "^16.10.0"
+  }
+}

e2e/operation-field-permissions/services/users.ts

@@ -0,0 +1,28 @@
+import { createServer } from 'http';
+import { Opts } from '@internal/testing';
+import { createSchema, createYoga } from 'graphql-yoga';
+
+const opts = Opts(process.argv);
+
+createServer(
+  createYoga({
+    maskedErrors: false,
+    schema: createSchema<any>({
+      typeDefs: /* GraphQL */ `
+        type Query {
+          registrationOpen: Boolean!
+          me: User!
+        }
+        type User {
+          name: String!
+        }
+      `,
+      resolvers: {
+        Query: {
+          registrationOpen: () => false,
+          me: () => ({ name: 'John' }),
+        },
+      },
+    }),
+  }),
+).listen(opts.getServicePort('users'));