Skip to content

feat: support contextual tuples and context in checks#169

Open
Adrastopoulos wants to merge 3 commits into
openfga:mainfrom
Adrastopoulos:feat/contextual-tuples
Open

feat: support contextual tuples and context in checks#169
Adrastopoulos wants to merge 3 commits into
openfga:mainfrom
Adrastopoulos:feat/contextual-tuples

Conversation

@Adrastopoulos

@Adrastopoulos Adrastopoulos commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Adds check(...) overloads that take contextual tuples and a context object, for the scenarios in #43 (group membership supplied per-request, attribute/time conditions, etc.). The existing signatures are untouched and just delegate with nulls, so @PreAuthorize SpEL usage keeps working.

Closes #43.

Add check(...) overloads that accept contextual tuples and a context
object, which are evaluated as if those tuples existed in the store and
used to satisfy conditions defined in the authorization model.

Closes openfga#43
Copilot AI review requested due to automatic review settings June 25, 2026 17:16
@Adrastopoulos Adrastopoulos requested a review from a team as a code owner June 25, 2026 17:16
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e9045070-026a-4e14-b623-66d4c7f428d5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

OpenFga adds check overloads that accept contextual tuples and an optional context object. When user ID is omitted, the method reads Spring Security authentication to derive it. Tests cover request propagation, principal-based resolution, and the missing-authentication failure case.

Changes

Contextual check support

Layer / File(s) Summary
Security-context user resolution
src/main/java/dev/openfga/OpenFga.java, src/test/java/dev/openfga/OpenFgaTest.java
OpenFga delegates the existing check overload through the contextual path, resolves userId from SecurityContextHolder when needed, and adds test imports, cleanup, and coverage for the derived-user and missing-authentication paths.
Contextual request payload
src/main/java/dev/openfga/OpenFga.java, src/test/java/dev/openfga/OpenFgaTest.java
OpenFga sets contextualTuples and context on ClientCheckRequest only when present, and tests verify those fields are forwarded with the request body.

Sequence Diagram(s)

sequenceDiagram
  participant OpenFga
  participant SecurityContextHolder
  participant fgaClient
  OpenFga->>SecurityContextHolder: getContext().getAuthentication()
  SecurityContextHolder-->>OpenFga: Authentication or null
  OpenFga->>OpenFga: delegate check(... userId, contextualTuples, context)
  OpenFga->>fgaClient: check(ClientCheckRequest)
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the main change: adding contextual tuples and context support to checks.
Linked Issues check ✅ Passed The PR adds the requested check overloads for contextual tuples and context, and the tests cover both explicit and principal-derived flows.
Out of Scope Changes check ✅ Passed The changes stay focused on contextual check support and related tests, with no obvious unrelated additions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds first-class support for OpenFGA “contextual tuples” and a request context payload when performing authorization checks via the OpenFga helper, enabling advanced evaluation scenarios (e.g., request-time group membership and condition inputs) while preserving existing check(...) method signatures used by Spring Security SpEL.

Changes:

  • Introduces new OpenFga.check(...) overloads that accept List<ClientTupleKey> contextualTuples and an Object context (both explicit-user and security-context-derived user forms).
  • Keeps existing check(...) APIs intact by delegating to the new overloads with null contextual parameters.
  • Adds unit tests for contextual tuples + context, and clears SecurityContextHolder after each test to avoid cross-test leakage.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
src/main/java/dev/openfga/OpenFga.java Adds check(...) overloads to optionally attach contextual tuples and condition context to ClientCheckRequest.
src/test/java/dev/openfga/OpenFgaTest.java Adds tests for contextual tuple/context variants and clears SecurityContextHolder after each test.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/main/java/dev/openfga/OpenFga.java
Comment thread src/test/java/dev/openfga/OpenFgaTest.java Outdated
Comment thread src/test/java/dev/openfga/OpenFgaTest.java Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
src/main/java/dev/openfga/OpenFga.java (1)

94-106: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Delegate the legacy principal-derived overload through this path.

The new overload duplicates the same SecurityContextHolder lookup and exception message that already exists in check(..., userType). Point the 4-arg overload at this method (or extract a small helper) so auth-resolution behavior only has one implementation to keep in sync.

Suggested diff
 public boolean check(String objectType, String objectId, String relation, String userType) {
-    var authentication = SecurityContextHolder.getContext().getAuthentication();
-    if (authentication == null) {
-        throw new IllegalStateException(
-                "No user provided, and no authentication could be found in the security context");
-    }
-    return check(objectType, objectId, relation, userType, authentication.getName());
+    return check(objectType, objectId, relation, userType, null, null);
 }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/main/java/dev/openfga/OpenFga.java` around lines 94 - 106, The 4-arg
check overload duplicates the SecurityContextHolder authentication lookup and
exception handling already present in the principal-derived path. Update
check(String objectType, String objectId, String relation, String userType,
List<ClientTupleKey> contextualTuples, Object context) to delegate through the
existing overload that resolves the principal, or extract a shared helper used
by both check methods. Keep the authentication resolution and
IllegalStateException message in one place so OpenFga.check stays consistent.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/main/java/dev/openfga/OpenFga.java`:
- Around line 94-106: The 4-arg check overload duplicates the
SecurityContextHolder authentication lookup and exception handling already
present in the principal-derived path. Update check(String objectType, String
objectId, String relation, String userType, List<ClientTupleKey>
contextualTuples, Object context) to delegate through the existing overload that
resolves the principal, or extract a shared helper used by both check methods.
Keep the authentication resolution and IllegalStateException message in one
place so OpenFga.check stays consistent.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7c234694-6217-4eaa-b648-16fdbaed1add

📥 Commits

Reviewing files that changed from the base of the PR and between 558d492 and e08082d.

📒 Files selected for processing (2)
  • src/main/java/dev/openfga/OpenFga.java
  • src/test/java/dev/openfga/OpenFgaTest.java

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feature: support contextual tuples and context params

3 participants