Fixed issue where authorization results were cached. (#5819)

cSpell.json

@@ -32,7 +32,11 @@
     "Swashbuckle",
     "traversion",
     "Websockets",
-    "Newtonsoft"
+    "Newtonsoft",
+    "cachable",
+    "fricking",
+    "runtimes",
+    "NATS"
   ],
   "ignoreWords": [
     "Specwise",
@@ -53,6 +57,7 @@
     "Staib",
     "shoooe",
     "Senn",
+    "Rafi",
     "Snapshooter",
     "relayjs",
     "Rgba",

src/HotChocolate/Core/src/Authorization/AuthorizeValidationResultAggregator.cs

@@ -52,7 +52,7 @@ public async ValueTask AggregateAsync(
         }
     }
 
-    private IError CreateError(AuthorizeResult result)
+    private static IError CreateError(AuthorizeResult result)
     {
         return result switch
         {

src/HotChocolate/Core/src/Authorization/AuthorizeValidationRule.cs

@@ -16,7 +16,7 @@ public AuthorizeValidationRule(AuthorizationCache cache)
         _cache = cache ?? throw new ArgumentNullException(nameof(cache));
     }
 
-    public bool IsCacheable => true;
+    public bool IsCacheable => false;
 
     public void Validate(IDocumentValidatorContext context, DocumentNode document)
     {

src/HotChocolate/Core/test/Authorization.Tests/AnnotationBasedAuthorizationTests.cs

@@ -64,6 +64,56 @@ public async Task Authorize_Person_NoAccess()
                 """);
     }
 
+    [Fact]
+    public async Task Authorize_Person_NoAccess_EnsureNotCached()
+    {
+        // arrange
+        var results = new Stack<AuthorizeResult>();
+        results.Push(AuthorizeResult.NotAllowed);
+        results.Push(AuthorizeResult.Allowed);
+
+        var handler = new AuthHandler2(results);
+        var services = CreateServices(handler);
+        var executor = await services.GetRequestExecutorAsync();
+
+        // act
+        await executor.ExecuteAsync(
+            """
+            {
+              person(id: "UGVyc29uCmRhYmM=") {
+                name
+              }
+            }
+            """);
+
+        var result = await executor.ExecuteAsync(
+            """
+            {
+              person(id: "UGVyc29uCmRhYmM=") {
+                name
+              }
+            }
+            """);
+
+        // assert
+        Snapshot
+            .Create()
+            .Add(result)
+            .MatchInline(
+                """
+                {
+                  "errors": [
+                    {
+                      "message": "The current user is not authorized to access this resource.",
+                      "extensions": {
+                        "code": "AUTH_NOT_AUTHORIZED"
+                      }
+                    }
+                  ]
+                }
+                """);
+    }
+
     [Fact]
     public async Task Authorize_Query_NoAccess()
     {
@@ -561,7 +611,7 @@ public async Task Skip_Authorize_On_Node_Field()
     }
 
     private static IServiceProvider CreateServices(
-        AuthHandler handler,
+        IAuthorizationHandler handler,
         Action<AuthorizationOptions>? configure = null)
         => new ServiceCollection()
             .AddGraphQLServer()
@@ -661,6 +711,27 @@ public ValueTask<AuthorizeResult> AuthorizeAsync(
         }
     }
 
+    private sealed class AuthHandler2 : IAuthorizationHandler
+    {
+        private readonly Stack<AuthorizeResult> _results;
+        public AuthHandler2(Stack<AuthorizeResult> results)
+        {
+            _results = results;
+        }
+
+        public ValueTask<AuthorizeResult> AuthorizeAsync(
+            IMiddlewareContext context,
+            AuthorizeDirective directive,
+            CancellationToken cancellationToken = default)
+            => new(AuthorizeResult.Allowed);
+
+        public ValueTask<AuthorizeResult> AuthorizeAsync(
+            AuthorizationContext context,
+            IReadOnlyList<AuthorizeDirective> directives,
+            CancellationToken cancellationToken = default)
+            => new(_results.Pop());
+    }
+
     [DirectiveType(DirectiveLocation.Object)]
     public sealed class FooDirective { }