isAuthenticated directive ignored in Apollo Federated Gateway schema

[bokjo]

Hello there,

I have an augmentedSchema wrapped in buildFederatedSchema from @apollo/federation but the Authorization directives are ignored when the API is called through the Gateway and directly.

When the API is created and called directly with an augmentedSchema passed to the Apollo server instance the Authorization directives work as expected!

Fairly new to GraphQL so don't know whether this is for here or on the Apollo Federation side, don't know how to properly test and debug it, to be honest!

neo4j-graphql-js API:

import neo4j, { Driver } from "neo4j-driver";
import { makeAugmentedSchema, assertSchema } from "neo4j-graphql-js";
import { resolvers, typeDefs, config as gqlConfig } from "./testSchema";
import { buildFederatedSchema } from "@apollo/federation";

//...

const driver: Driver = neo4j.driver(
  `${config.scheme}://${config.host}:${config.port}`,
  neo4j.auth.basic(config.username, config.password),
);

//...
const augmentedSchema = makeAugmentedSchema({
  typeDefs,
  resolvers,
  config: {
    ...gqlConfig,
    experimental: true,
    auth: {
      isAuthenticated: true,
      hasRole: true,
      hasScope: true,
    },
    isFederated: true,
  },
});
const schema = buildFederatedSchema([augmentedSchema]);

const server = new ApolloServer({
  context: ({ req }) => {
    return { driver, neo4jDatabase: config.database, req };
  },
  // schema: augmentedSchema,
  schema,
  playground: true,
  introspection: true,
});

Apollo Federation Gateway:

const { ApolloServer } = require("apollo-server");
const { ApolloGateway, RemoteGraphQLDataSource } = require("@apollo/gateway");

const gateway = new ApolloGateway({
  serviceList: [
    {
      name: "Svc1",
      url: "http://localhost:5000/graphql"
    },
    {
      name: "Svc2",
      url: "http://localhost:5001/graphql"
    }
  ],
  buildService({ name, url }) {
    return new RemoteGraphQLDataSource({
      url,
      willSendRequest({ request, context }) {
        request.http.headers = context.req.headers
      }
    });
  }
});

(async () => {
  const { schema, executor } = await gateway.load();

  const server = new ApolloServer({
    context: ({ req }) => {
      return { req };
    },
    schema,
    executor
  });

  server.listen({ port: process.env.PORT || 4000 }).then(({ url }) => {
    console.log(`🚀 Server ready at ${url}`);
  });
})();

My SVC1 has a simple resolver that returns hello world string and it has the @isAuthenticated directive (just as an example, there are other customs and autogenerated queries and mutations of course! )

type Query {
    sayHello: String @isAuthenticated
  }

export const resolvers = {
  Query: {
    sayHello: (parent, args, context, info) =>  {
      console.log(parent, args, context, info);
      return "Hello World";
    },
  },
  Mutation: {},
};

Case 1:

• If you run the "SVC1" API Apollo server directly with the augmented schema then the Authorization directive is respected and working as expected

Case 2:

• if you run the "SVC1" API Apollo server with the federated schema and call the SVC1 API tough the Gateway then the Authorization directive is ignored and the data is returned without providing the JWT token in the authorization header

p.s the Apollo Federation Gateway is properly propagating the request with the Authorization header to the SVC1!

[michaeldgraham]

#608