feat: ApiKey builder adoption, new samples, and role enums#41
Merged
Conversation
- Adopt the new AddTraxApiKeyAuth(keys => ...) builder surface across GameServer, ChatService, and JobHunt samples. Plaintext switch expressions are gone; keys are salted and hashed under the hood. - Introduce per-sample role enums (GameRole, ChatRole, AuditRole) and use nameof(Role.X) at registration sites so role strings stay in one place and stay consistent with [TraxAuthorize] / RequireRole calls. - New ApiAudit sample: minimal GraphQL host demonstrating the audit pipeline with a console sink (bounded channel, batch writer, principal attribution). - New JobHunt sample: complete GraphQL hub + Next.js client showing per-train authorization, principal-backed ownership, and multi-user flows. Drops the per-sample ApiKeyAuthHandler copies in favor of the unified Trax.Api.Auth.ApiKey package. - ChatService: migrate to the shared resolver package and clean up redundant auth scaffolding.
2 tasks
Samples were reaching for the Func<TraxPrincipal> overload just to set a capitalized display name distinct from the id. Display names are a demo-only nicety, so drop them: id doubles as display name (lowercase). TraxPrincipal is now absent from every sample Program.cs, matching the API design goal of hiding framework types behind the builder surface.
- GameServer.Api: bump MaxExecutionDepth to 6 so model-query chains (dispatch → mutation → output → nested type → field → scalar) clear the Trax default of 4. - GameServer.Scheduler: add AllowMissingAuthorizationService() on the mediator builder. Scheduler is trusted infrastructure and runs [TraxAuthorize]-gated trains that were already authorized at the original API submission point. - GraphQLWebSocketClient (both E2E projects): accept an optional apiKey argument and include it in the connection_init payload. Subscription auth travels in the payload because browsers cannot attach custom headers to a WebSocket upgrade. - SubscriptionTests (both): pass PlayerKey / AliceKey explicitly so the new TraxApiKeySocketInterceptor accepts the connection.
The sample's dispatch → mutation → output → nested type → field → scalar query chain exceeds the Trax default of 4. Matches the GameServer sample's treatment of the same default.
|
This PR is included in version 1.21.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
AddTraxApiKeyAuth(keys => ...)builder. No more plaintextswitchexpressions — keys are salted and hashed under the hood and compared in constant time.GameRole,ChatRole,AuditRole) plusnameof(Role.X)at every registration site. Role strings live in one place and stay consistent with[TraxAuthorize]/RequireRolecalls.ApiKeyAuthHandlercopies in favor of the unifiedTrax.Api.Auth.ApiKeypackage.Depends on
Test plan
dotnet buildzero warningsdotnet csharpier check .clean