Add NotAuthorizedNodeType cop

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## master
 
+- [PR#115](https://github.com/DmitryTsepelev/rubocop-graphql/pull/115) Add NotAuthorizedNodeType cop ([@DmitryTsepelev][])
 - [PR#114](https://github.com/DmitryTsepelev/rubocop-graphql/pull/114) Add MaxDepthSchema and MaxComplextySchema cops ([@DmitryTsepelev][])
 - [PR#113](https://github.com/DmitryTsepelev/rubocop-graphql/pull/113) Add GraphqlName cop ([@DmitryTsepelev][])
 - [PR#112](https://github.com/DmitryTsepelev/rubocop-graphql/pull/112) Make FieldDefinitions work with modules ([@DmitryTsepelev][])

config/default.yml

@@ -113,6 +113,13 @@ GraphQL/MultipleFieldDefinitions:
   VersionAdded: '0.15.0'
   Description: 'Ensures that fields with multiple definitions are grouped together'
 
+GraphQL/NotAuthorizedNodeType:
+  Enabled: true
+  VersionAdded: '1.0.0'
+  Description: 'Detects types that implement Node interface and not have `.authorized?` check'
+  Include:
+    - '**/graphql/types/**/*'
+
 GraphQL/ResolverMethodLength:
   Enabled: true
   VersionAdded: '0.1.0'

lib/rubocop/cop/graphql/not_authorized_node_type.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GraphQL
+      # Detects types that implement Node interface and not have `.authorized?` check.
+      # Such types can be fetched by ID and therefore should have type level check to
+      # avoid accidental information exposure.
+      #
+      # @example
+      #   # good
+      #
+      #   class UserType < BaseType
+      #     implements GraphQL::Types::Relay::Node
+      #
+      #     field :uuid, ID, null: false
+      #
+      #     def self.authorized?(object, context)
+      #       super && object.owner == context[:viewer]
+      #     end
+      #   end
+      #
+      #   # bad
+      #
+      #   class UserType < BaseType
+      #     implements GraphQL::Types::Relay::Node
+      #
+      #     field :uuid, ID, null: false
+      #   end
+      #
+      class NotAuthorizedNodeType < Base
+        MSG = ".authorized? should be defined for types implementing Node interface."
+
+        # @!method implements_node_type?(node)
+        def_node_matcher :implements_node_type?, <<~PATTERN
+          `(send nil? :implements
+            (const
+              (const
+                (const
+                  (const nil? :GraphQL) :Types) :Relay) :Node))
+        PATTERN
+
+        # @!method has_authorized_method?(node)
+        def_node_matcher :has_authorized_method?, <<~PATTERN
+          `(:defs (:self) :authorized? ...)
+        PATTERN
+
+        def on_class(node)
+          add_offense(node) if implements_node_type?(node) && !has_authorized_method?(node)
+        end
+      end
+    end
+  end
+end

lib/rubocop/cop/graphql_cops.rb

@@ -16,6 +16,7 @@
 require_relative "graphql/max_complexity_schema"
 require_relative "graphql/max_depth_schema"
 require_relative "graphql/multiple_field_definitions"
+require_relative "graphql/not_authorized_node_type"
 require_relative "graphql/resolver_method_length"
 require_relative "graphql/object_description"
 require_relative "graphql/ordered_arguments"

spec/rubocop/cop/graphql/not_authorized_node_type_spec.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+RSpec.describe RuboCop::Cop::GraphQL::NotAuthorizedNodeType, :config do
+  context "when type not implements Node interface" do
+    specify do
+      expect_no_offenses(<<~RUBY, "graphql/types/user_type.rb")
+        class UserType < BaseType
+          field :uuid, ID, null: false
+        end
+      RUBY
+    end
+  end
+
+  context "when type not implements Node interface" do
+    context "when type has .authorized? check" do
+      specify do
+        expect_no_offenses(<<~RUBY, "graphql/types/user_type.rb")
+          class UserType < BaseType
+            implements GraphQL::Types::Relay::Node
+
+            field :uuid, ID, null: false
+
+            def self.authorized?(object, context)
+              super && object.owner == context[:viewer]
+            end
+          end
+        RUBY
+      end
+    end
+
+    context "when type has no .authorized? check" do
+      specify do
+        expect_offense(<<~RUBY, "graphql/types/user_type.rb")
+          class UserType < BaseType
+          ^^^^^^^^^^^^^^^^^^^^^^^^^ .authorized? should be defined for types implementing Node interface.
+            implements GraphQL::Types::Relay::Node
+
+            field :uuid, ID, null: false
+          end
+        RUBY
+      end
+    end
+  end
+end