Spring Security Context + Subfields about graphql-spqr-spring-boot-starter HOT 3 OPEN

From looking around the projects I saw that it seems like the way to do this is with a ContextFactory, this is how my code ended-up looking like, I'm still in between testing this approach but here is a snippet of my relevant code:

In my project I have an AuthenticationProvider (org.springframework.security.authentication.AuthenticationProvider) implementation it will return an "authenticated" object after it performs the JWT verification and a few other things, I see that in Spqr it appears that there doesn't seem to be a way to access the results of the AuthenticationProvider, I know that Spring Security puts it in the context holder so this context factory must be executing before the AuthenticationProvider. I'm still debugging my approach but I wonder if you had any insight into why the ContextFactory would execute after the AuthenticationProvider?

public abstract class AuthContextFactory<R> implements ContextFactory<R> {
    public Object createGlobalContext(final ContextFactoryParams<R> params) {
        final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        final DefaultGlobalContext<R> ctx = new DefaultGlobalContext<>(params.getNativeRequest());
        if (authentication instanceof AuthProviderJWTAuthentication) {
            final AuthProviderJWTAuthentication user = (AuthProviderJWTAuthentication)authentication;
            ContextUtils.saveCurrentUserKey(ctx, user.getUserKey());
        } else if (authentication instanceof AuthProviderJWTAuthenticatedUser) {
            // this isn't being hit right now (gets created in AuthenticationProvider)
            final AuthProviderJWTAuthenticatedUser user = (AuthProviderJWTAuthenticatedUser)authentication;
            ContextUtils.saveCurrentUserKey(ctx, user.getUserKey());
        }
        return ctx;
    }
}

// These are just to get them registered as the right bean type into Spring and work with SPQR Autoconfiguration
@Component
public class AuthWebSocketContextFactory extends AuthContextFactory<WebSocketSession> implements WebSocketContextFactory {
}

@Component
public class AuthServletContextFactory extends AuthContextFactory<NativeWebRequest> implements ServletContextFactory  {
}

Edit:
Stepping through with the debugger I see that AuthenticationProvider does indeed get called before the ContextFactory, but there's something going on that my ContextFactory doesn't have access to the output of the AuthenticationProvider, I assume its again something to do with this potentially happening in another thread. I'll continue to debug but for the time being this approach will work for me.

from graphql-spqr-spring-boot-starter.

Are there any solutions you managed to find?

from graphql-spqr-spring-boot-starter.

I have exactly the same issue as @csueiras, and solved it by removing the @PreAuthorize from the methods that are receiving argument with the @GraphQLContext annotation, but keeping the @PreAuthorize in the origin endpoint.

I'm presuming that if I'm passing an argument with @GraphQLContext, then I can't reach the endpoint directly without starting it by its origin call sequence, I mean with no context. I also tried to force reach it with no success.

It would be worth if if someone could give a feedback on this solution or even a better way to solve it.

from graphql-spqr-spring-boot-starter.