Update repo with the latest-and-greatest GraphQL.NET/CI/Code Style #254
Conversation
github-actions
bot
added
CI
|
As far as I'm concerned, this repo is obsolete. It only supports policy-based authentication; a proper upgrade should support I'm okay updating it, but assuming it does not have an overhaul, an explicit notice near the top of the readme should note all of the features this repo does not support, along with a suggestion that GraphQL.NET Server 7's authentication rule be used. I might even mark the entry point as |
|
Note that the authorization rule in GraphQL.NET Server 7 can be extensively customized and need not rely on ASP.NET Core's authentication subsystem. The base class and validation error class does reference the |
|
Some other options (perhaps for v8) are:
|
Until GraphQL is tightly coupled with HTTP transport - no.
It is not a goal of this PR. Later.
Post a suggestion and I will merge it.
Again - until GraphQL is tightly coupled with HTTP transport - no. At least I do not consider this action as correct, because it deliberately narrows authorization applicability to only HTTP / ASP.NET Core transport / framework.
Maybe, maybe. But can be != to be. For now server package is ASP.NET Core package with all references/docs and other stuff. A long time ago I already asked @joemcbride about the possibility of merging two projects (this one and server bits). I will only be glad if we manage to cut a common bits of the authorization so that it will not depend on the transport/ASP.NET framework at all. So far this is not so, then this project will live. Regarding #254 (comment) - both options are viable. I lean to 1. |
|
|
I added some additional changes in PR #255 which currently targets this PR. |
|
FYI, removing IProvideUserPrincipal means that users will certainly need to change their code to use the new version. |
src/Harness/Program.cs
Outdated
| { | ||
| public static Task Main(string[] args) => CreateHostBuilder(args).Build().RunAsync(); | ||
| opt.ThrowOnUnhandledException = true; |
There was a problem hiding this comment.
I'm curious why you added this. This breaks proper operation within ASP.NET Core
There was a problem hiding this comment.
Just the first thing that turned up by the arm.
|
I've finished my review. Once the BomTest is removed, or it verifies the sln is in the root of the scanned folder tree, I'll approve. |
|
I still have not received an answer to graphql-dotnet/graphql-dotnet#3478 (comment) / #254 (comment) and waiting. So far I have not yet understood what is the point of checking the presence/absense of sln. |
To be sure the correct folder is being scanned by looking for a file unique to this repository. Has nothing to do with the editorconfig. I do not think this test should be included at all. |
|
What does "correct folder" mean at all? Found folder is always repository root. It's guaranteed by compiler. Since editorconfig resides in the root and since it should work for all files starting from the root then scan should be done in the root as well. I do not understand what is wrong in this simple logical chain. Also graphql-dotnet/graphql-dotnet#3478 (comment) |
|
I’ve tried to explain my view.
No it’s not. That’s what I would like to see. Rather the only thing that’s guaranteed is the file path to this test. Traversing an arbitrary number of |
|
The whole point of this library was to purposefully NOT have ASP.NET dependencies, have a simplified policy-based auth, and to be able to use this library regardless of what transport was used with GraphQL .NET. Using policy based authorization you CAN use roles in the policy. I would consider using only role-based auth an anti-pattern when Policies are a much better design, that also supports checking for roles, as well as many other scenarios. Help the user make the right decision instead of allowing them to use bad patterns. You two are always bickering over changes. Please act more professional. It is tiresome to see your constant bickering. It seriously makes me reconsider fully taking over the project again. |
|
And just to be clear - instead of creating an entirely new authorization feature in the other projects (with ASP.NET dependencies), this one should have been updated instead. I fought off several attempts at adding ASP.NET Authorization in the other projects previously. So it is a bit frustrating to see that was done anyways and this one left to languish. |
👍
I'd be happy to discuss the future of this project and/or the server project with you, if you like. Without input I typically work on features that I intend to use, hoping that such features will benefit the community.
I apologize. |
So far, these criteria are carried out. |
Co-authored-by: Shane Krueger <shane@acdmail.com>
Codecov Report
@@ Coverage Diff @@
## master #254 +/- ##
==========================================
- Coverage 80.27% 79.56% -0.72%
==========================================
Files 10 10
Lines 289 274 -15
Branches 44 45 +1
==========================================
- Hits 232 218 -14
Misses 44 44
+ Partials 13 12 -1
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
|
I'll wait some more time. Maybe there is something else. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if ((node is GraphQLOperationDefinition astType && astType == context.Operation) || | ||
| (node is GraphQLFragmentDefinition fragment && (context.GetRecursivelyReferencedFragments(context.Operation)?.Contains(fragment) ?? false))) |
Check notice
Code scanning / CodeQL
Complex condition
|
@sungam3r We have not issued a release with 7.0 compatibility. Should I do so? cc: @julienFlexsoft |
|
I published it just after have read graphql-dotnet/server#987 |
|
I would only suggest that we remove the many dependabot commits, and most other PRs that do not affect the operation of the code, from the release notes. I typically do so. It does not benefit users to know that Shouldly was bumped, for example, as this change does not affect the released code. The only exception is when a contributor expends a significant amount of time to improve the codebase, such as extensive reformatting, or contributions made by a new contributor. But when you or I make documentation fixes, CI changes, build-time dependency bumps, changes to tests, and similar I almost always remove those from the release notes. |
|
thanks! |
Inspired by #253
ping @BillBaird
UPDATE: #256 is a new feature