README.md

# CharonAbsinthe

CharonAbsinthe is an extension package for [Charon](https://hexdocs.pm/charon) to use it with [Absinthe](https://hexdocs.pm/absinthe).

## Table of contents

<!-- TOC -->

- [CharonAbsinthe](#charonabsinthe)
  - [Table of contents](#table-of-contents)
  - [Documentation](#documentation)
  - [How to use](#how-to-use)
    - [Installation](#installation)
    - [Setup the parent package](#setup-the-parent-package)
    - [Create an error handler](#create-an-error-handler)
    - [Configuration](#configuration)
    - [Configure router](#configure-router)
    - [Protect your schema](#protect-your-schema)
    - [Create a session resolver](#create-a-session-resolver)

<!-- /TOC -->

## Documentation

Documentation (including this readme with module links resolved) can be found at [https://hexdocs.pm/charon_absinthe](https://hexdocs.pm/charon_absinthe).

## How to use

### Installation

The package can be installed by adding `charon_absinthe` to your list of dependencies in `mix.exs`:

```elixir
def deps do
  [
    {:charon_absinthe, "~> 0.1.1-beta"}
  ]
end
```

### Setup the parent package

Follow the `Charon` [readme](https://hexdocs.pm/charon/readme.html#protecting-routes) until you've created token pipelines.

### Create an error handler

```elixir
defmodule MyAppWeb.Absinthe do
  def authentication_error(resolution, auth_error_msg) do
    message = "request could not be authenticated: \#{auth_error_msg}"
    extensions = %{error: "authentication_failure", reason: auth_error_msg}
    error = %{message: message, extensions: extensions}
    Absinthe.Resolution.put_result(resolution, {:error, error})
  end
end
```

### Configuration

Additional config is required, see `CharonAbsinthe.Config`.

### Configure router

Add a pipeline with the `CharonAbsinthe.HydrateContextPlug`, route the graphql endpoint through it,
and register the `CharonAbsinthe.send_context_cookies/2` callback as an `Absinthe.Plug` `:before_send` hook.

```elixir
defmodule MyAppWeb.Router do
  use MyAppWeb, :router

  @config Application.compile_env(:my_app, :charon) |> Charon.Config.from_enum()

  pipeline :api do
    plug :accepts, ["json"]
  end

  pipeline :charon_auth do
    plug CharonAbsinthe.HydrateContextPlug, @config
  end

  scope "/api" do
    pipe_through :charon_auth

    forward "/graphql", Absinthe.Plug,
      schema: MyAppWeb.Absinthe.Schema,
      before_send: {CharonAbsinthe, :send_context_cookies}
  end
end
```

### Protect your schema

Normal "auth-required" fields must be protected with `CharonAbsinthe.ReqAuthMiddleware`.
The refresh mutation must be protected with `CharonAbsinthe.ReqRefreshAuthMiddleware`.
Mutations that alter the session (login, logout, refresh, logout-all, logout-other...) must be followed by `CharonAbsinthe.PostSessionChangeMiddleware`.

```elixir
defmodule MyAppWeb.Absinthe.SessionTypes do
  use Absinthe.Schema.Notation
  alias MyAppWeb.Absinthe.SessionResolver
  alias CharonAbsinthe.{ReqAuthMiddleware, ReqRefreshAuthMiddleware, PostSessionChangeMiddleware}

  @config Application.compile_env(:my_app, :charon) |> Charon.Config.from_enum()

  object :session_mutations do
    field :login, type: :login_payload do
      arg :email, non_null(:string)
      arg :password, non_null(:string)
      arg :token_signature_transport, non_null(:string)
      resolve &SessionResolver.login/3
      middleware PostSessionChangeMiddleware
    end

    field :logout, type: :logout_payload do
      middleware ReqAuthMiddleware, @config
      resolve &SessionResolver.logout/3
      middleware PostSessionChangeMiddleware
    end

    field :refresh, type: :refresh_payload do
      middleware ReqRefreshAuthMiddleware, @config
      resolve &SessionResolver.refresh/3
      middleware PostSessionChangeMiddleware
    end
  end
end
```

### Create a session resolver

Error handling is omitted.

```elixir
defmodule MyAppWeb.Absinthe.SessionResolver do
  alias Charon.{Utils, SessionPlugs}
  alias MyApp.{User, Users}

  @config Application.compile_env(:my_app, :charon) |> Charon.Config.from_enum()

  def login(
        _parent,
        _args = %{token_signature_transport: transport, email: email, password: password},
        _resolution = %{context: %{charon_conn: conn}}
      ) do
    with {:ok, user} <- Users.get_by(email: email) |> Users.verify_password(password) do
      conn
      |> Utils.set_token_signature_transport(transport)
      |> Utils.set_user_id(user.id)
      |> SessionPlugs.upsert_session(@config)
      |> token_response()
    end
  end

  def logout(_parent, _args, _resolution = %{context: %{charon_conn: conn}}) do
    conn
    |> SessionPlugs.delete_session(@config)
    |> then(fn conn -> {:ok, %{resp_cookies: conn.resp_cookies}} end)
  end

  def refresh(
        _parent,
        _args,
        _resolution = %{context: %{charon_conn: conn, user_id: user_id}}
      ) do
    with %User{status: "active"} <- Users.get_by(id: user_id) do
      conn |> SessionPlugs.upsert_session(@config) |> token_response()
    end
  end

  ###########
  # Private #
  ###########

  defp token_response(conn) do
    tokens = conn |> Utils.get_tokens() |> Map.from_struct()
    session = conn |> Utils.get_session() |> Map.from_struct()
    {:ok, %{resp_cookies: conn.resp_cookies, tokens: tokens, session: session}}
  end
end
```