Skip to content

Add Analyzer for Microsoft.AspNetCore.Authorization attribute usage on GraphQL members #8869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 5, 2025
Merged

Add Analyzer for Microsoft.AspNetCore.Authorization attribute usage on GraphQL members #8869

merged 1 commit into from
Nov 5, 2025

Conversation

@tobias-tengler
Copy link
Member

@tobias-tengler tobias-tengler commented Nov 4, 2025
edited
Loading

Fixes #7688
Supersedes #7696

  • Adds Analyzer that flags usages of Microsoft authorization attributes on GraphQL types / resolvers
  • Adds code fix to automatically switch to the correct attribute and also transform Roles to a collection if necessary

Copilot AI review requested due to automatic review settings November 4, 2025 21:23
@tobias-tengler tobias-tengler changed the title Add WrongAuthorizationAttributeAnalyzer Add Analyzer for Microsoft.AspNetCore.Authorization attribute usage on GraphQL members Nov 4, 2025
@tobias-tengler tobias-tengler force-pushed the tte/authorization-attribute-analyzer branch 3 times, most recently from 5a32df7 to 8913986 Compare November 4, 2025 21:28
Copilot AI reviewed Nov 4, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a new analyzer to detect and prevent the use of Microsoft's ASP.NET Core authorization attributes (Microsoft.AspNetCore.Authorization.AuthorizeAttribute and AllowAnonymousAttribute) in HotChocolate GraphQL types. It enforces the use of HotChocolate's own authorization attributes instead.

Key Changes:

  • New analyzer (WrongAuthorizationAttributeAnalyzer) that reports errors when Microsoft authorization attributes are used on GraphQL types, root types, or their members
  • Code fix provider that automatically replaces Microsoft attributes with HotChocolate equivalents, including transformation of the Roles parameter from string to collection expression
  • Comprehensive test coverage with 15 test cases covering various scenarios

Reviewed Changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated no comments.

Show a summary per file
File Description
WrongAuthorizationAttributeAnalyzer.cs Implements the diagnostic analyzer to detect Microsoft authorization attributes on GraphQL types and members
WrongAuthorizationAttributeCodeFixProvider.cs Provides automatic code fixes to replace Microsoft attributes with HotChocolate equivalents
Errors.cs Adds the diagnostic descriptor HC0106 for the wrong authorization attribute error
WrongAuthorizationAttributeAnalyzerTests.cs Contains test cases for both error and no-error scenarios
TestHelper.cs Updated to include required assembly references and register the new analyzer
15 snapshot files Expected test output snapshots showing generated code and analyzer diagnostics

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 4, 2025

🚀 Performance Test Results

📊 Response Time

Current

Test Min Med Max Avg P90 P95 P99
Single Fetch 0.77ms 1.53ms 22.34ms 2.06ms 3.31ms 4.28ms 9.15ms
DataLoader 1.70ms 3.18ms 91.02ms 4.57ms 9.10ms 13.21ms 21.30ms

Baseline

Test Min Med Max Avg P90 P95 P99
Single Fetch 0.76ms 1.62ms 20.52ms 2.15ms 3.46ms 4.54ms 9.39ms
DataLoader 1.67ms 3.15ms 80.31ms 4.77ms 8.92ms 13.70ms 24.02ms

Change vs Baseline

Test Min Med Max Avg P90 P95 P99
Single Fetch ✅ (1.45% worse) 🎉 (5.42% better) ⚠️ (8.87% worse) ✅ (4.05% better) ✅ (4.46% better) 🎉 (5.59% better) ✅ (2.51% better)
DataLoader ✅ (1.79% worse) ✅ (0.97% worse) ⚠️ (13.34% worse) ✅ (4.16% better) ✅ (2.06% worse) ✅ (3.60% better) 🎉 (11.33% better)

⚡ Throughput

Test Metric Current Baseline Change
Single Fetch Requests/sec 394.52 req/s 394.42 req/s ✅ (0.03% better)
DataLoader Requests/sec 393.15 req/s 393.27 req/s ✅ (0.03% worse)

🎯 Reliability

Test Error Rate
Single Fetch 0.00% ✅
DataLoader 0.00% ✅

🔍 Analysis

✅ No significant performance regression detected

Run 19083356710 • Commit 9b419ea • Tue, 04 Nov 2025 21:45:05 GMT

@tobias-tengler tobias-tengler force-pushed the tte/authorization-attribute-analyzer branch from 8913986 to d25869a Compare November 5, 2025 07:27
@github-actions
Copy link
Contributor

github-actions bot commented Nov 5, 2025

🚀 Performance Test Results

📊 Response Time

Current

Test Min Med Max Avg P90 P95 P99
Single Fetch 0.76ms 1.60ms 16.64ms 2.06ms 3.15ms 4.17ms 8.90ms
DataLoader 1.65ms 3.16ms 59.08ms 4.43ms 8.51ms 12.09ms 19.30ms

Baseline

Test Min Med Max Avg P90 P95 P99
Single Fetch 0.77ms 1.60ms 17.77ms 2.05ms 3.43ms 4.51ms 8.80ms
DataLoader 1.67ms 3.10ms 75.04ms 4.50ms 8.79ms 12.84ms 20.40ms

Change vs Baseline

Test Min Med Max Avg P90 P95 P99
Single Fetch ✅ (0.30% better) ✅ (0.13% worse) 🎉 (6.40% better) ✅ (0.64% worse) 🎉 (8.23% better) 🎉 (7.45% better) ✅ (1.13% worse)
DataLoader ✅ (1.15% better) ✅ (2.08% worse) 🎉 (21.26% better) ✅ (1.55% better) ✅ (3.16% better) 🎉 (5.84% better) 🎉 (5.36% better)

⚡ Throughput

Test Metric Current Baseline Change
Single Fetch Requests/sec 394.40 req/s 394.44 req/s ✅ (0.01% worse)
DataLoader Requests/sec 393.36 req/s 393.24 req/s ✅ (0.03% better)

🎯 Reliability

Test Error Rate
Single Fetch 0.00% ✅
DataLoader 0.00% ✅

🔍 Analysis

✅ No significant performance regression detected

Run 19094534550 • Commit e6014f0 • Wed, 05 Nov 2025 07:43:51 GMT

@tobias-tengler tobias-tengler merged commit 60f2c1e into main Nov 5, 2025
112 checks passed
@tobias-tengler tobias-tengler deleted the tte/authorization-attribute-analyzer branch November 5, 2025 07:48
@codecov
Copy link

codecov bot commented Nov 5, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (2e872d7) to head (d25869a).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@     Coverage Diff      @@
##   main   #8869   +/-   ##
============================
============================

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

This was referenced Nov 6, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

🌶️ hot chocolate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Detect no-op Microsoft.AspNetCore.Authorization.AuthorizeAttribute

2 participants

@tobias-tengler