feat(router): add introspection authentication bypass feature

router-tests/batch_test.go

@@ -333,11 +333,18 @@ func TestBatch(t *testing.T) {
 		t.Parallel()
 
 		authenticators, authServer := ConfigureAuth(t)
+		accessController, err := core.NewAccessController(core.AccessControllerOptions{
+			Authenticators:           authenticators,
+			AuthenticationRequired:   false,
+			SkipIntrospectionQueries: false,
+			IntrospectionSkipSecret:  "",
+		})
+		require.NoError(t, err)
 
 		testenv.Run(t,
 			&testenv.Config{
 				RouterOptions: []core.Option{
-					core.WithAccessController(core.NewAccessController(authenticators, false)),
+					core.WithAccessController(accessController),
 				},
 				BatchingConfig: config.BatchingConfig{
 					Enabled:            true,
@@ -692,14 +699,22 @@ func TestBatch(t *testing.T) {
 		t.Parallel()
 
 		authenticators, authServer := ConfigureAuth(t)
+		accessController, err := core.NewAccessController(core.AccessControllerOptions{
+			Authenticators:           authenticators,
+			AuthenticationRequired:   false,
+			SkipIntrospectionQueries: false,
+			IntrospectionSkipSecret:  "",
+		})
+		require.NoError(t, err)
+
 		testenv.Run(t, &testenv.Config{
 			BatchingConfig: config.BatchingConfig{
 				Enabled:            true,
 				MaxConcurrency:     10,
 				MaxEntriesPerBatch: 100,
 			},
 			RouterOptions: []core.Option{
-				core.WithAccessController(core.NewAccessController(authenticators, false)),
+				core.WithAccessController(accessController),
 				core.WithRouterTrafficConfig(&config.RouterTrafficConfiguration{
 					MaxRequestBodyBytes:  5 << 20, // 5MiB
 					DecompressionEnabled: true,

router-tests/block_operations_test.go

@@ -150,9 +150,17 @@ func TestBlockOperations(t *testing.T) {
 			t.Parallel()
 
 			authenticators, authServer := ConfigureAuth(t)
+			accessController, err := core.NewAccessController(core.AccessControllerOptions{
+				Authenticators:           authenticators,
+				AuthenticationRequired:   false,
+				SkipIntrospectionQueries: false,
+				IntrospectionSkipSecret:  "",
+			})
+			require.NoError(t, err)
+
 			testenv.Run(t, &testenv.Config{
 				RouterOptions: []core.Option{
-					core.WithAccessController(core.NewAccessController(authenticators, false)),
+					core.WithAccessController(accessController),
 				},
 				ModifySecurityConfiguration: func(securityConfiguration *config.SecurityConfiguration) {
 					securityConfiguration.BlockMutations = config.BlockOperationConfiguration{
@@ -303,10 +311,17 @@ func TestBlockOperations(t *testing.T) {
 			t.Parallel()
 
 			authenticators, authServer := ConfigureAuth(t)
+			accessController, err := core.NewAccessController(core.AccessControllerOptions{
+				Authenticators:           authenticators,
+				AuthenticationRequired:   false,
+				SkipIntrospectionQueries: false,
+				IntrospectionSkipSecret:  "",
+			})
+			require.NoError(t, err)
 
 			testenv.Run(t, &testenv.Config{
 				RouterOptions: []core.Option{
-					core.WithAccessController(core.NewAccessController(authenticators, false)),
+					core.WithAccessController(accessController),
 					core.WithAuthorizationConfig(&config.AuthorizationConfiguration{
 						RejectOperationIfUnauthorized: false,
 					}),
@@ -395,14 +410,21 @@ func TestBlockOperations(t *testing.T) {
 			t.Parallel()
 
 			authenticators, authServer := ConfigureAuth(t)
+			accessController, err := core.NewAccessController(core.AccessControllerOptions{
+				Authenticators:           authenticators,
+				AuthenticationRequired:   false,
+				SkipIntrospectionQueries: false,
+				IntrospectionSkipSecret:  "",
+			})
+			require.NoError(t, err)
 
 			testenv.Run(t, &testenv.Config{
 				ModifyWebsocketConfiguration: func(cfg *config.WebSocketConfiguration) {
 					cfg.Authentication.FromInitialPayload.Enabled = true
 					cfg.Enabled = true
 				},
 				RouterOptions: []core.Option{
-					core.WithAccessController(core.NewAccessController(authenticators, false)),
+					core.WithAccessController(accessController),
 					core.WithAuthorizationConfig(&config.AuthorizationConfiguration{
 						RejectOperationIfUnauthorized: false,
 					}),

router-tests/header_set_test.go

@@ -275,13 +275,21 @@ func TestHeaderSetWithExpression(t *testing.T) {
 		authenticator, err := authentication.NewHttpHeaderAuthenticator(authOptions)
 		require.NoError(t, err)
 
+		accessController, err := core.NewAccessController(core.AccessControllerOptions{
+			Authenticators:           []authentication.Authenticator{authenticator},
+			AuthenticationRequired:   true,
+			SkipIntrospectionQueries: false,
+			IntrospectionSkipSecret:  "",
+		})
+		require.NoError(t, err)
+
 		token, err := authServer.TokenForKID(rsa1.KID(), map[string]any{"user_id": "TestId"}, false)
 		require.NoError(t, err)
 
 		testenv.Run(t, &testenv.Config{
 			RouterOptions: append(
 				global(customHeader, `request.auth.claims.user_id`),
-				core.WithAccessController(core.NewAccessController([]authentication.Authenticator{authenticator}, true)),
+				core.WithAccessController(accessController),
 			),
 		}, func(t *testing.T, xEnv *testenv.Environment) {
 			res := xEnv.MakeGraphQLRequestOK(testenv.GraphQLRequest{

router-tests/modules/router_on_request_test.go

@@ -2,11 +2,12 @@ package module_test
 
 import (
 	"encoding/json"
-	"github.com/wundergraph/cosmo/router-tests/modules/router-on-request"
-	"go.uber.org/zap/zapcore"
 	"net/http"
 	"testing"
 
+	router_on_request "github.com/wundergraph/cosmo/router-tests/modules/router-on-request"
+	"go.uber.org/zap/zapcore"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/wundergraph/cosmo/router-tests/testenv"
@@ -69,9 +70,17 @@ func TestRouterOnRequestHook(t *testing.T) {
 			},
 		}
 
+		accessController, err := core.NewAccessController(core.AccessControllerOptions{
+			Authenticators:           authenticators,
+			AuthenticationRequired:   true,
+			SkipIntrospectionQueries: false,
+			IntrospectionSkipSecret:  "",
+		})
+		require.NoError(t, err)
+
 		testenv.Run(t, &testenv.Config{
 			RouterOptions: []core.Option{
-				core.WithAccessController(core.NewAccessController(authenticators, true)),
+				core.WithAccessController(accessController),
 				core.WithModulesConfig(cfg.Modules),
 				core.WithCustomModules(&router_on_request.RouterOnRequestModule{}),
 			},

router-tests/modules/set_authentication_scopes_test.go

@@ -32,9 +32,17 @@ func TestCustomModuleSetAuthenticationScopes(t *testing.T) {
 			},
 		}
 		authenticators, authServer := configureAuth(t)
+		accessController, err := core.NewAccessController(core.AccessControllerOptions{
+			Authenticators:           authenticators,
+			AuthenticationRequired:   false,
+			SkipIntrospectionQueries: false,
+			IntrospectionSkipSecret:  "",
+		})
+		require.NoError(t, err)
+
 		testenv.Run(t, &testenv.Config{
 			RouterOptions: []core.Option{
-				core.WithAccessController(core.NewAccessController(authenticators, false)),
+				core.WithAccessController(accessController),
 				core.WithModulesConfig(cfg.Modules),
 				core.WithCustomModules(&setScopesModule.SetAuthenticationScopesModule{}, &verifyScopes.VerifyScopesModule{}),
 			},
@@ -73,9 +81,17 @@ func TestCustomModuleSetAuthenticationScopes(t *testing.T) {
 			},
 		}
 		authenticators, authServer := configureAuth(t)
+		accessController, err := core.NewAccessController(core.AccessControllerOptions{
+			Authenticators:           authenticators,
+			AuthenticationRequired:   false,
+			SkipIntrospectionQueries: false,
+			IntrospectionSkipSecret:  "",
+		})
+		require.NoError(t, err)
+
 		testenv.Run(t, &testenv.Config{
 			RouterOptions: []core.Option{
-				core.WithAccessController(core.NewAccessController(authenticators, false)),
+				core.WithAccessController(accessController),
 				core.WithModulesConfig(cfg.Modules),
 				core.WithCustomModules(&setScopesModule.SetAuthenticationScopesModule{}, &verifyScopes.VerifyScopesModule{}),
 			},
@@ -116,9 +132,17 @@ func TestCustomModuleSetAuthenticationScopes(t *testing.T) {
 			},
 		}
 		authenticators, authServer := configureAuth(t)
+		accessController, err := core.NewAccessController(core.AccessControllerOptions{
+			Authenticators:           authenticators,
+			AuthenticationRequired:   false,
+			SkipIntrospectionQueries: false,
+			IntrospectionSkipSecret:  "",
+		})
+		require.NoError(t, err)
+
 		testenv.Run(t, &testenv.Config{
 			RouterOptions: []core.Option{
-				core.WithAccessController(core.NewAccessController(authenticators, false)),
+				core.WithAccessController(accessController),
 				core.WithModulesConfig(cfg.Modules),
 				core.WithCustomModules(&setScopesModule.SetAuthenticationScopesModule{}, &verifyScopes.VerifyScopesModule{}),
 			},

router-tests/modules/set_scopes_test.go

@@ -61,9 +61,17 @@ func TestCustomModuleSetScopes(t *testing.T) {
 			},
 		}
 		authenticators, authServer := configureAuth(t)
+		accessController, err := core.NewAccessController(core.AccessControllerOptions{
+			Authenticators:           authenticators,
+			AuthenticationRequired:   false,
+			SkipIntrospectionQueries: false,
+			IntrospectionSkipSecret:  "",
+		})
+		require.NoError(t, err)
+
 		testenv.Run(t, &testenv.Config{
 			RouterOptions: []core.Option{
-				core.WithAccessController(core.NewAccessController(authenticators, false)),
+				core.WithAccessController(accessController),
 				core.WithModulesConfig(cfg.Modules),
 				core.WithCustomModules(&module.MyModule{}, &setScopesModule.SetScopesModule{}),
 			},
@@ -101,9 +109,17 @@ func TestCustomModuleSetScopes(t *testing.T) {
 			},
 		}
 		authenticators, authServer := configureAuth(t)
+		accessController, err := core.NewAccessController(core.AccessControllerOptions{
+			Authenticators:           authenticators,
+			AuthenticationRequired:   false,
+			SkipIntrospectionQueries: false,
+			IntrospectionSkipSecret:  "",
+		})
+		require.NoError(t, err)
+
 		testenv.Run(t, &testenv.Config{
 			RouterOptions: []core.Option{
-				core.WithAccessController(core.NewAccessController(authenticators, false)),
+				core.WithAccessController(accessController),
 				core.WithModulesConfig(cfg.Modules),
 				core.WithCustomModules(&module.MyModule{}, &setScopesModule.SetScopesModule{}),
 			},

router-tests/prometheus_test.go

@@ -4119,6 +4119,14 @@ func TestPrometheus(t *testing.T) {
 		const claimVal = "customClaimValue"
 
 		authenticators, authServer := ConfigureAuth(t)
+		accessController, err := core.NewAccessController(core.AccessControllerOptions{
+			Authenticators:           authenticators,
+			AuthenticationRequired:   true,
+			SkipIntrospectionQueries: false,
+			IntrospectionSkipSecret:  "",
+		})
+		require.NoError(t, err)
+
 		exporter := tracetest.NewInMemoryExporter(t)
 		metricReader := metric.NewManualReader()
 		promRegistry := prometheus.NewRegistry()
@@ -4128,7 +4136,7 @@ func TestPrometheus(t *testing.T) {
 			MetricReader:       metricReader,
 			PrometheusRegistry: promRegistry,
 			RouterOptions: []core.Option{
-				core.WithAccessController(core.NewAccessController(authenticators, true)),
+				core.WithAccessController(accessController),
 			},
 			CustomMetricAttributes: []config.CustomAttribute{
 				{

router-tests/ratelimit_test.go

@@ -270,9 +270,17 @@ func TestRateLimit(t *testing.T) {
 		require.NoError(t, err)
 		authenticators := []authentication.Authenticator{authenticator}
 
+		accessController, err := core.NewAccessController(core.AccessControllerOptions{
+			Authenticators:           authenticators,
+			AuthenticationRequired:   false,
+			SkipIntrospectionQueries: false,
+			IntrospectionSkipSecret:  "",
+		})
+		require.NoError(t, err)
+
 		testenv.Run(t, &testenv.Config{
 			RouterOptions: []core.Option{
-				core.WithAccessController(core.NewAccessController(authenticators, false)),
+				core.WithAccessController(accessController),
 				core.WithRateLimitConfig(&config.RateLimitConfiguration{
 					Enabled:  true,
 					Strategy: "simple",

router-tests/security_test.go

@@ -2,13 +2,13 @@ package integration
 
 import (
 	"fmt"
-	"github.com/wundergraph/cosmo/router/core"
 	"net/http"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 
 	"github.com/wundergraph/cosmo/router-tests/testenv"
+	"github.com/wundergraph/cosmo/router/core"
 	"github.com/wundergraph/cosmo/router/pkg/config"
 )
 
@@ -341,7 +341,9 @@ func TestQueryNamingLimits(t *testing.T) {
 					securityConfiguration.OperationNameLengthLimit = maxLength
 				},
 				RouterOptions: []core.Option{
-					core.WithIntrospection(false),
+					core.WithIntrospection(false, config.IntrospectionConfiguration{
+						Enabled: false,
+					}),
 				},
 			}, func(t *testing.T, xEnv *testenv.Environment) {
 				expectedErrorMessage := fmt.Sprintf(`{"errors":[{"message":"operation name of length %d exceeds max length of %d"}]}`, len(query1Name), maxLength)