From 47d6b0c473bc3cf4e5fa8bbfa790a240c2662f17 Mon Sep 17 00:00:00 2001
From: dekkku <161748598+dekkku@users.noreply.github.com>
Date: Thu, 28 Nov 2024 01:37:17 +0530
Subject: [PATCH] fix(3144): add correct auth validation traces (#3152)

---
 src/core/blueprint/definitions.rs             | 35 +++++++-
 .../snapshots/auth-validations.md_error.snap  | 86 +++++++++++++++++++
 tests/execution/auth-validations.md           | 36 ++++++++
 3 files changed, 153 insertions(+), 4 deletions(-)
 create mode 100644 tests/core/snapshots/auth-validations.md_error.snap
 create mode 100644 tests/execution/auth-validations.md

diff --git a/src/core/blueprint/definitions.rs b/src/core/blueprint/definitions.rs
index 5e903c19e3..e6c0f2e694 100644
--- a/src/core/blueprint/definitions.rs
+++ b/src/core/blueprint/definitions.rs
@@ -401,22 +401,49 @@ fn to_fields(
         GraphQLOperationType::Query
     };
     // Process fields that are not marked as `omit`
+
+    // collect the parent auth ids
+    let parent_auth_ids = type_of.protected.as_ref().and_then(|p| p.id.as_ref());
+    // collect the field names that have different auth ids than the parent type
+    let fields_with_different_auth_ids = type_of
+        .fields
+        .iter()
+        .filter_map(|(k, v)| {
+            if let Some(p) = &v.protected {
+                if p.id.as_ref() != parent_auth_ids {
+                    Some(k)
+                } else {
+                    None
+                }
+            } else {
+                None
+            }
+        })
+        .collect::<HashSet<_>>();
+
     let fields = Valid::from_iter(
         type_of
             .fields
             .iter()
             .filter(|(_, field)| !field.is_omitted()),
         |(name, field)| {
-            validate_field_type_exist(config_module, field)
-                .and(to_field_definition(
+            let mut result =
+                validate_field_type_exist(config_module, field).and(to_field_definition(
                     field,
                     &operation_type,
                     object_name,
                     config_module,
                     type_of,
                     name,
-                ))
-                .trace(name)
+                ));
+
+            if fields_with_different_auth_ids.contains(name) || parent_auth_ids.is_none() {
+                // if the field has a different auth id than the parent type or parent has no
+                // auth id, we need to add correct trace.
+                result = result.trace(name);
+            }
+
+            result
         },
     );
 
diff --git a/tests/core/snapshots/auth-validations.md_error.snap b/tests/core/snapshots/auth-validations.md_error.snap
new file mode 100644
index 0000000000..19dd962929
--- /dev/null
+++ b/tests/core/snapshots/auth-validations.md_error.snap
@@ -0,0 +1,86 @@
+---
+source: tests/core/spec.rs
+expression: errors
+---
+[
+  {
+    "message": "Auth provider z not found",
+    "trace": [
+      "Baz",
+      "x",
+      "@protected"
+    ],
+    "description": null
+  },
+  {
+    "message": "Auth provider y not found",
+    "trace": [
+      "Baz",
+      "y",
+      "@protected"
+    ],
+    "description": null
+  },
+  {
+    "message": "Auth provider x not found",
+    "trace": [
+      "Baz",
+      "z",
+      "@protected"
+    ],
+    "description": null
+  },
+  {
+    "message": "Auth provider x not found",
+    "trace": [
+      "Foo",
+      "@protected"
+    ],
+    "description": null
+  },
+  {
+    "message": "Auth provider x not found",
+    "trace": [
+      "Foo",
+      "baz",
+      "@protected"
+    ],
+    "description": null
+  },
+  {
+    "message": "Auth provider y not found",
+    "trace": [
+      "Foo",
+      "baz",
+      "@protected"
+    ],
+    "description": null
+  },
+  {
+    "message": "Auth provider b not found",
+    "trace": [
+      "Query",
+      "default",
+      "@protected"
+    ],
+    "description": null
+  },
+  {
+    "message": "Auth provider c not found",
+    "trace": [
+      "Query",
+      "default",
+      "@protected"
+    ],
+    "description": null
+  },
+  {
+    "message": "Auth provider z not found",
+    "trace": [
+      "Zoo",
+      "a",
+      "@protected"
+    ],
+    "description": null
+  }
+]
diff --git a/tests/execution/auth-validations.md b/tests/execution/auth-validations.md
new file mode 100644
index 0000000000..a9aca9b59c
--- /dev/null
+++ b/tests/execution/auth-validations.md
@@ -0,0 +1,36 @@
+---
+error: true
+---
+
+# auth multiple
+
+```graphql @config
+schema @server @upstream @link(id: "a", src: ".htpasswd_a", type: Htpasswd) {
+  query: Query
+}
+
+type Query {
+  default: String @expr(body: "data") @protected(id: ["a", "b", "c"])
+  foo: Foo @expr(body: {bar: "baz"})
+}
+
+type Foo @protected(id: ["x"]) {
+  bar: String
+  baz: String @protected(id: ["y"])
+}
+
+type Zoo {
+  a: String @protected(id: ["z"])
+}
+
+type Baz {
+  x: String @protected(id: ["z"])
+  y: String @protected(id: ["y"])
+  z: String @protected(id: ["x"])
+}
+```
+
+```text @file:.htpasswd_a
+testuser1:$apr1$e3dp9qh2$fFIfHU9bilvVZBl8TxKzL/
+testuser2:$2y$10$wJ/mZDURcAOBIrswCAKFsO0Nk7BpHmWl/XuhF7lNm3gBAFH3ofsuu
+```