Improve auth error messages

auth.go

@@ -6,6 +6,7 @@ import (
  "sort"
  "strings"
 
+ log "github.com/sirupsen/logrus"
  "github.com/vektah/gqlparser/v2/ast"
  "github.com/vektah/gqlparser/v2/gqlerror"
 )
@@ -33,7 +34,7 @@ func (a AllowedFields) IsAllowed(fieldName string) (bool, AllowedFields) {
  return false, AllowedFields{}
 }
 
-// OperationPermissions represents the user permissions for all operation types
+// OperationPermissions represents the top level permissions for all operation types
 type OperationPermissions struct {
  AllowedRootQueryFields AllowedFields `json:"query"`
  AllowedRootMutationFields AllowedFields `json:"mutation"`
@@ -54,6 +55,14 @@ func (f fieldList) Swap(i, j int) {
  f[i], f[j] = f[j], f[i]
 }
 
+func (a AllowedFields) String() string {
+ bytes, err := json.Marshal(a)
+ if err != nil {
+ return err.Error()
+ }
+ return string(bytes)
+}
+
 // MarshalJSON marshals to a JSON representation.
 func (a AllowedFields) MarshalJSON() ([]byte, error) {
  if a.AllowAll {
@@ -270,7 +279,12 @@ func filterFields(path []string, ss ast.SelectionSet, allowedFields AllowedField
  res = append(res, s)
  errs = append(errs, ferrs...)
  } else {
- errs = append(errs, gqlerror.Errorf("user do not have permission to access field %s.%s", strings.Join(path, "."), s.Name))
+ fieldPath := strings.Join(append(path, s.Name), ".")
+ log.WithFields(log.Fields{
+ "field": fieldPath,
+ "permissions": allowedFields,
+ }).Debug("field access disallowed")
+ errs = append(errs, gqlerror.Errorf("%s access disallowed", fieldPath))
  }
  case *ast.FragmentSpread:
  var ferrs gqlerror.List

auth_test.go

@@ -124,7 +124,7 @@ func TestFilterAuthorizedFields(t *testing.T) {
  }
  errs := perms.FilterAuthorizedFields(query.Operations[0])
  require.Len(t, errs, 1)
- assert.Equal(t, errs[0].Message, "user do not have permission to access field query.movies.compTitles")
+ assert.Equal(t, errs[0].Message, "query.movies.compTitles access disallowed")
 
  assertSelectionSetsEqual(t, schema, strToSelectionSet(schema, `{
  movies {
@@ -219,7 +219,7 @@ func TestFilterAuthorizedFields(t *testing.T) {
  }
  errs := perms.FilterAuthorizedFields(query.Operations[0])
  require.Len(t, errs, 1)
- assert.Equal(t, errs[0].Message, "user do not have permission to access field query.movies.compTitles")
+ assert.Equal(t, errs[0].Message, "query.movies.compTitles access disallowed")
 
  assertSelectionSetsEqual(t, schema, strToSelectionSet(schema, `{
  movies {

execution_test.go

@@ -49,7 +49,7 @@ func TestHonorsPermissions(t *testing.T) {
  resp := es.ExecuteQuery(ctx)
 
  permissionsError := &gqlerror.Error{
- Message: "user do not have permission to access field query.cinema",
+ Message: "query.cinema access disallowed",
  }
 
  require.Contains(t, resp.Errors, permissionsError)