Change Graphql Query auth method to QUERY

tjeerddie · tjeerddie · commit 5d590b64a6a5 · 2025-10-10T11:32:01.000+02:00
diff --git a/oauth2_lib/fastapi.py b/oauth2_lib/fastapi.py
@@ -366,7 +366,7 @@ def __init__(self, opa_url: str, auto_error: bool = False, opa_kwargs: Mapping[s
         # By default don't raise HTTP 403 because partial results are preferred
         super().__init__(opa_url, auto_error, opa_kwargs)
 
-    async def authorize(self, request: RequestPath, user_info: OIDCUserModel) -> bool | None:
+    async def authorize(self, request: RequestPath, method: str, user_info: OIDCUserModel) -> bool | None:
         if not (oauth2lib_settings.OAUTH2_ACTIVE and oauth2lib_settings.OAUTH2_AUTHORIZATION_ACTIVE):
             return None
 
@@ -375,7 +375,7 @@ async def authorize(self, request: RequestPath, user_info: OIDCUserModel) -> boo
                 **(self.opa_kwargs or {}),
                 **(user_info or {}),
                 "resource": request,
-                "method": "POST",
+                "method": method,
             }
         }
 
diff --git a/oauth2_lib/strawberry.py b/oauth2_lib/strawberry.py
@@ -105,14 +105,14 @@ async def is_authenticated(info: OauthInfo) -> bool:
     return current_user is not None
 
 
-async def is_authorized(info: OauthInfo, path: str) -> bool:
+async def is_authorized(info: OauthInfo, path: str, method: str) -> bool:
     """Check that the user is allowed to query/mutate this path."""
     context = info.context
     current_user = await context.get_current_user
     if not current_user:
         return False
 
-    authorization_decision = await context.auth_manager.graphql_authorization.authorize(path, current_user)
+    authorization_decision = await context.auth_manager.graphql_authorization.authorize(path, method, current_user)
     authorized = bool(authorization_decision)
     logger.debug(
         "Received graphql authorization decision",
@@ -172,7 +172,7 @@ async def has_permission(self, source: Any, info: OauthInfo, **kwargs) -> bool:
             return True
 
         path = get_query_path(info)
-        if await is_authorized(info, path):
+        if await is_authorized(info, path, "QUERY"):
             return True
 
         self.message = f"User is not authorized to query `{path}`"
@@ -192,7 +192,7 @@ async def has_permission(self, source: Any, info: OauthInfo, **kwargs) -> bool:
             return skip_mutation_auth_checks()
 
         path = get_mutation_path(info)
-        if await is_authorized(info, path):
+        if await is_authorized(info, path, "POST"):
             return True
 
         self.message = f"User is not authorized to execute mutation `{path}`"

Original file line number	Diff line number	Diff line change
`@@ -366,7 +366,7 @@ def __init__(self, opa_url: str, auto_error: bool = False, opa_kwargs: Mapping[s`
`366`	`366`	`# By default don't raise HTTP 403 because partial results are preferred`
`367`	`367`	`super().__init__(opa_url, auto_error, opa_kwargs)`
`368`	`368`
`369`		`- async def authorize(self, request: RequestPath, user_info: OIDCUserModel) -> bool \| None:`
	`369`	`+ async def authorize(self, request: RequestPath, method: str, user_info: OIDCUserModel) -> bool \| None:`
`370`	`370`	`if not (oauth2lib_settings.OAUTH2_ACTIVE and oauth2lib_settings.OAUTH2_AUTHORIZATION_ACTIVE):`
`371`	`371`	`return None`
`372`	`372`
`@@ -375,7 +375,7 @@ async def authorize(self, request: RequestPath, user_info: OIDCUserModel) -> boo`
`375`	`375`	`**(self.opa_kwargs or {}),`
`376`	`376`	`**(user_info or {}),`
`377`	`377`	`"resource": request,`
`378`		`- "method": "POST",`
	`378`	`+ "method": method,`
`379`	`379`	`}`
`380`	`380`	`}`
`381`	`381`