Polishing contribution

Closes gh-367

Author: rstoyanchev

samples/webflux-security/src/main/java/io/spring/sample/graphql/SalaryController.java

@@ -49,10 +49,10 @@ public Mono<BigDecimal> salary(Employee employee) {
 	}
 
 	@MutationMapping
-	public void updateSalary(@Argument("input") SalaryInput salaryInput) {
+	public Mono<Void> updateSalary(@Argument("input") SalaryInput salaryInput) {
 		String employeeId = salaryInput.getEmployeeId();
 		BigDecimal salary = salaryInput.getNewSalary();
-		this.salaryService.updateSalary(employeeId, salary);
+		return this.salaryService.updateSalary(employeeId, salary);
 	}
 
 }

samples/webflux-security/src/main/java/io/spring/sample/graphql/SalaryInput.java

@@ -23,6 +23,11 @@ public class SalaryInput {
 
 	private BigDecimal newSalary;
 
+	public SalaryInput(String employeeId, BigDecimal newSalary) {
+		this.employeeId = employeeId;
+		this.newSalary = newSalary;
+	}
+
 	public String getEmployeeId() {
 		return employeeId;
 	}

samples/webflux-security/src/main/java/io/spring/sample/graphql/SalaryService.java

@@ -32,9 +32,9 @@ public Mono<BigDecimal> getSalaryForEmployee(Employee employee) {
 		return Mono.just(new BigDecimal("42"));
 	}
 
-	@Secured({ "ROLE_HR" })
-	public void updateSalary(String employeeId, BigDecimal newSalary) {
-		// empty
+	@Secured("ROLE_HR")
+	public Mono<Void> updateSalary(String employeeId, BigDecimal newSalary) {
+		return Mono.empty();
 	}
 
 }

samples/webflux-security/src/main/java/io/spring/sample/graphql/SecurityConfig.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -35,7 +35,7 @@ public class SecurityConfig {
 	@Bean
 	SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
 		return http
-				.csrf(spec -> spec.disable())
+				.csrf(c -> c.disable())
 				// Demonstrate that method security works
 				// Best practice to use both for defense in depth
 				.authorizeExchange(requests -> requests.anyExchange().permitAll())

samples/webflux-security/src/main/resources/graphql/schema.graphqls

@@ -14,7 +14,7 @@ type Employee {
 
 input UpdateSalaryInput {
     employeeId: ID!
-    salary: String!
+    newSalary: String!
 }
 type UpdateSalaryPayload {
     success: Boolean!

samples/webflux-security/src/test/java/io/spring/sample/graphql/WebFluxSecuritySampleTests.java

@@ -15,11 +15,13 @@
  */
 package io.spring.sample.graphql;
 
+import java.math.BigDecimal;
 import java.net.URI;
 import java.time.Duration;
 
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
 import org.springframework.boot.test.context.SpringBootTest;
@@ -105,6 +107,21 @@ void canNotQuerySalary() {
 				});
 	}
 
+	@Disabled // This does not work currently
+	@Test
+	void canNotMutateUpdateSalary() {
+		SalaryInput salaryInput = new SalaryInput("1", BigDecimal.valueOf(44));
+
+		this.graphQlTester.documentName("updateSalary")
+				.variable("salaryInput", salaryInput)
+				.execute()
+				.errors()
+				.satisfy(errors -> {
+					assertThat(errors).hasSize(1);
+					assertThat(errors.get(0).getErrorType()).isEqualTo(ErrorType.UNAUTHORIZED);
+				});
+	}
+
 	@Test
 	void canQuerySalaryAsAdmin() {
 

samples/webflux-security/src/test/resources/graphql-test/updateSalary.graphql

@@ -0,0 +1,9 @@
+mutation updateSalary($salaryInput: UpdateSalaryInput!) {
+    updateSalary(input: $salaryInput) {
+        success
+        employee {
+            id
+            name
+        }
+    }
+}

samples/webmvc-http-security/src/main/java/io/spring/sample/graphql/SalaryService.java

@@ -15,7 +15,7 @@ public BigDecimal getSalaryForEmployee(Employee employee) {
 		return new BigDecimal("42");
 	}
 
-	@Secured({ "ROLE_HR" })
+	@Secured("ROLE_HR")
 	public void updateSalary(String employeeId, BigDecimal newSalary) {
 
 	}

samples/webmvc-http-security/src/main/java/io/spring/sample/graphql/SecurityConfig.java

@@ -1,3 +1,18 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.spring.sample.graphql;
 
 import org.springframework.context.annotation.Bean;
@@ -23,9 +38,7 @@ DefaultSecurityFilterChain springWebFilterChain(HttpSecurity http) throws Except
 				.csrf(c -> c.disable())
 				// Demonstrate that method security works
 				// Best practice to use both for defense in depth
-				.authorizeRequests(requests -> requests
-					.anyRequest().permitAll()
-				)
+				.authorizeRequests(requests -> requests.anyRequest().permitAll())
 				.httpBasic(withDefaults())
 				.build();
 	}

samples/webmvc-http-security/src/test/java/io/spring/sample/graphql/WebMvcHttpSecuritySampleTests.java

@@ -75,11 +75,10 @@ void canNotQuerySalary() {
 	}
 
 	@Test
-	void canNotMutationUpdateSalary() {
-		WebGraphQlTester tester = this.graphQlTester.mutate().build();
+	void canNotMutateUpdateSalary() {
 		SalaryInput salaryInput = new SalaryInput("1", BigDecimal.valueOf(44));
 
-		tester.documentName("updateSalary")
+		this.graphQlTester.documentName("updateSalary")
 				.variable("salaryInput", salaryInput)
 				.execute()
 				.errors()