Adding @Security documentation

Author: moufmouf

docs/authentication_authorization.md

@@ -7,13 +7,16 @@ sidebar_label: Authentication and authorization
 You might not want to expose your GraphQL API to anyone. Or you might want to keep some queries/mutations or fields
 reserved to some users.
 
-GraphQLite offers some control over what a user can do with your API based on authentication (whether the user
-is logged or not) or authorization (what rights the user have).
+GraphQLite offers some control over what a user can do with your API. You can restrict access to resources:
+ 
+- based on authentication using the [`@Logged` annotation](#logged-and-right-annotations) (restrict access to logged users)
+- based on authorization using the [`@Right` annotation](#logged-and-right-annotations) (restrict access to logged users with certain rights).
+- based on fine-grained authorization using the [`@Security` annotation](fine-grained-security.md) (restrict access for some given resources to some users).
 
 <div class="alert alert-info">
 GraphQLite does not have its own security mechanism.
-Unless you're using our Symfony Bundle, it is up to you to connect this feature to your framework's security mechanism.<br>
-See <a href="#connecting-graphqlite-to-your-framework-s-security-module">Connecting GraphQLite to your framework's security module</a>.
+Unless you're using our Symfony Bundle or our Laravel package, it is up to you to connect this feature to your framework's security mechanism.<br>
+See <a href="implementing-security.md">Connecting GraphQLite to your framework's security module</a>.
 </div>
 
 ## `@Logged` and `@Right` annotations
@@ -112,55 +115,3 @@ While this is the most secured mode, it can have drawbacks when working with dev
 (you need to be logged as admin to fetch the complete schema).
 
 <div class="alert alert-info">The "HideIfUnauthorized" mode was the default mode in GraphQLite 3 and is optionnal from GraphQLite 4+.</div>
-
-## Connecting GraphQLite to your framework's security module
-
-<div class="alert alert-info">
-    This step is NOT necessary for user using GraphQLite through the Symfony Bundle
-</div>
-
-GraphQLite needs to know if a user is logged or not, and what rights it has.
-But this is specific of the framework you use.
-
-To plug GraphQLite to your framework's security mechanism, you will have to provide two classes implementing: 
-
-* `TheCodingMachine\GraphQLite\Security\AuthenticationServiceInterface`
-* `TheCodingMachine\GraphQLite\Security\AuthorizationServiceInterface`
-
-Those two interfaces act as adapters between GraphQLite and your framework:
-
-```php
-interface AuthenticationServiceInterface
-{
-    /**
-     * Returns true if the "current" user is logged.
-     *
-     * @return bool
-     */
-    public function isLogged(): bool;
-}
-``` 
-
-```php
-interface AuthorizationServiceInterface
-{
-    /**
-     * Returns true if the "current" user has access to the right "$right".
-     *
-     * @param string $right
-     * @return bool
-     */
-    public function isAllowed(string $right): bool;
-}
-```
-
-You need to write classes that implement these interfaces. Then, you must register those classes with GraphQLite.
-It you are [using the `SchemaFactory`](other-frameworks.md), you can register your classes using:
-
-```php
-// Configure an authentication service (to resolve the @Logged annotations).
-$schemaFactory->setAuthenticationService($myAuthenticationService);
-// Configure an authorization service (to resolve the @Right annotations).
-$schemaFactory->setAuthorizationService($myAuthorizationService);
-```
-

docs/fine-grained-security.md

@@ -0,0 +1,170 @@
+---
+id: fine-grained-security
+title: Fine grained security
+sidebar_label: Fine grained security
+---
+
+If the [`@Logged` and `@Right` annotations](authentication_authorization.md#logged-and-right-annotations) are not 
+granular enough for your needs, you can use the advanced `@Security` annotation.
+
+Using the `@Security` annotation, you can write an *expression* that can contain custom logic. For instance:
+
+- Check that a user can access a given resource
+- Check that a user has one right or another right
+- ...
+
+## Using the @Security annotation
+
+The `@Security` annotation is very flexible: it allows you to pass an expression that can contains custom logic:
+
+```php
+use TheCodingMachine\GraphQLite\Annotations\Security;
+
+// ...
+
+/**
+ * @Query
+ * @Security("is_granted('ROLE_ADMIN') or is_granted('POST_SHOW', post)")
+ */
+public function getPost(Post $post): array
+{
+    // ...
+}
+```
+
+The *expression* defined in the `@Security` annotation must conform to [Symfony's Expression Language syntax](https://symfony.com/doc/4.4/components/expression_language/syntax.html)
+
+<div class="alert alert-info">
+    If you are a Symfony user, you might already be used to the <code>@Security</code> annotation. Most of the inspiration
+    of this annotation comes from Symfony. Warning though! GraphQLite's <code>@Security</code> annotation and 
+    Symfony's <code>@Security</code> annotation are slightly different. Especially, the two annotations do not live
+    in the same namespace!
+</div>
+
+## The `is_granted` function
+
+Use the `is_granted` function to check if a user has a special right.
+
+```php
+@Security("is_granted('ROLE_ADMIN')")
+```
+
+is similar to
+
+```php
+@Right("ROLE_ADMIN")
+```
+
+In addition, the `is_granted` function accepts a second optional parameter: the "scope" of the right.
+
+```php
+/**
+ * @Query
+ * @Security("is_granted('POST_SHOW', post)")
+ */
+public function getPost(Post $post): array
+{
+    // ...
+}
+```
+
+In the example above, the `getPost` method can be called only if the logged user has the 'POST_SHOW' permission on the
+`$post` object. You can notice that the `$post` object comes from the parameters.
+
+## Accessing method parameters
+
+All parameters passed to the method can be accessed in the `@Security` expression.
+
+```php
+/**
+ * @Query
+ * @Security("startDate < endDate", statusCode=400, message="End date must be after start date")
+ */
+public function getPosts(DateTimeImmutable $startDate, DateTimeImmutable $endDate): array
+{
+    // ...
+}
+```
+
+In the example above, we tweak a bit the Security annotation purpose to do simple input validation.
+
+## Setting HTTP code and error message
+
+You can use the `statusCode` and `message` attributes to set the HTTP code and GraphQL error message.
+
+```php
+/**
+ * @Query
+ * @Security("is_granted('POST_SHOW', post)", statusCode=404, message="Post not found (let's pretend the post does not exists!)")
+ */
+public function getPost(Post $post): array
+{
+    // ...
+}
+```
+
+Note: since a single GraphQL call contain many errors, 2 errors might have conflicting HTTP status code.
+The resulting status code is up to the GraphQL middleware you use. Most of the time, the status code with the 
+higher error code will be returned.
+
+## Accessing the user
+
+You can use the `user` variable to access the currently logged user.
+You can use the `is_logged()` function to check if a user is logged or not.
+
+```php
+/**
+ * @Query
+ * @Security("is_logged() && user.age > 18")
+ */
+public function getNSFWImages(): array
+{
+    // ...
+}
+```
+
+## Accessing the current object
+
+You can use the `this` variable to access any (public) property / method of the current class.
+
+```php
+class Post {
+    /**
+     * @Query
+     * @Security("this.canAccess(post, user)")
+     */
+    public function getPost(Post $post): array
+    {
+        // ...
+    }
+   
+    public function canAccess(Post $post, User $user): bool
+    {
+        // Some custom logic here
+    }
+}
+```
+
+## Available scope
+
+The `@Security` annotation can be used in any query, mutation or field, so anywhere you have a `@Query`, `@Mutation`
+or `@Field` annotation.
+
+## How to restrict a given resource
+
+The `is_granted` method can be used to restrict access to a specific resource.
+
+```php
+@Security("is_granted('POST_SHOW', post)")
+```
+
+If you are wondering how to configure these fine-grained permissions, this is not something that GraphQLite handles 
+itself. Instead, this depends on the framework you are using.
+
+If you are using Symfony, you will [create a custom voter](https://symfony.com/doc/current/security/voters.html).
+
+If you are using Laravel, you will [create a Gate or a Policy](https://laravel.com/docs/6.x/authorization).
+
+If you are using another framework, you need to know that the `is_granted` function simply forwards the call to 
+the `isAllowed` method of the configured `AuthorizationSerice`. See [Connecting GraphQLite to your framework's security module
+](implementing-security.md) for more details

docs/implementing-security.md

@@ -0,0 +1,58 @@
+---
+id: implementing-security
+title: Connecting GraphQLite to your framework's security module
+sidebar_label: Connecting security to your framework
+---
+
+<div class="alert alert-info">
+    This step is NOT necessary for users using GraphQLite through the Symfony Bundle or the Laravel package
+</div>
+
+GraphQLite needs to know if a user is logged or not, and what rights it has.
+But this is specific of the framework you use.
+
+To plug GraphQLite to your framework's security mechanism, you will have to provide two classes implementing: 
+
+* `TheCodingMachine\GraphQLite\Security\AuthenticationServiceInterface`
+* `TheCodingMachine\GraphQLite\Security\AuthorizationServiceInterface`
+
+Those two interfaces act as adapters between GraphQLite and your framework:
+
+```php
+interface AuthenticationServiceInterface
+{
+    /**
+     * Returns true if the "current" user is logged
+     */
+    public function isLogged(): bool;
+
+    /**
+     * Returns an object representing the current logged user.
+     * Can return null if the user is not logged.
+     */
+    public function getUser(): ?object;
+}
+``` 
+
+```php
+interface AuthorizationServiceInterface
+{
+    /**
+     * Returns true if the "current" user has access to the right "$right"
+     *
+     * @param mixed $subject The scope this right applies on. $subject is typically an object or a FQCN. Set $subject to "null" if the right is global.
+     */
+    public function isAllowed(string $right, $subject = null): bool;
+}
+```
+
+You need to write classes that implement these interfaces. Then, you must register those classes with GraphQLite.
+It you are [using the `SchemaFactory`](other_frameworks.md), you can register your classes using:
+
+```php
+// Configure an authentication service (to resolve the @Logged annotations).
+$schemaFactory->setAuthenticationService($myAuthenticationService);
+// Configure an authorization service (to resolve the @Right annotations).
+$schemaFactory->setAuthorizationService($myAuthorizationService);
+```
+

docs/other_frameworks.md

@@ -281,4 +281,4 @@ return new Picotainer([
 
 And we are done! You can now test your query using your favorite GraphQL client.
 
-![](../img/query1.png)
+![](assets/query1.png)

docs/queries.md

@@ -56,7 +56,7 @@ The easiest way to test a GraphQL endpoint is to use [GraphiQL](https://github.c
 
 Here a query using our simple *Hello World* example:
 
-![](../img/query1.png)
+![](/img/query1.png)
 
 ## Query with a type
 

website/sidebars.json

@@ -2,7 +2,8 @@
   "docs": {
     "Introduction": ["features"],
     "Installation": ["getting-started", "symfony-bundle", "laravel-package", "universal_service_providers", "other-frameworks"],
-    "Usage": ["queries", "mutations", "type_mapping", "autowiring", "extend_type", "authentication_authorization", "external_type_declaration", "input-types", "inheritance-interfaces"],
+    "Usage": ["queries", "mutations", "type_mapping", "autowiring", "extend_type", "external_type_declaration", "input-types", "inheritance-interfaces"],
+    "Security": ["authentication_authorization", "fine-grained-security", "implementing-security"],
     "Performance": ["query-plan", "prefetch-method"],
     "Advanced": ["file-uploads", "pagination", "custom-types", "field-middlewares", "extend_input_type", "multiple_output_types", "symfony-bundle-advanced", "internals", "troubleshooting", "migrating"],
     "Reference": ["annotations_reference"]