Authorization "AFTER" rules triggered in the middle of mutation in connect operations

[angrykoala]

Given the following typeDefs:

type Group @node @authorization(validate: [{
    operations: [CREATE_RELATIONSHIP],
    when: AFTER,
    where: {node: {invitees_SOME: { email: {eq: "an email"}}}}
}]) {
    id: ID! @id
    name: String!
    invitees: [${Invitee}!]! @relationship(type: "INVITED_TO", direction: IN, aggregate: true)
}

type Invitee
    @node
    {
    id: ID! @id
    group: [${Group}!]! @relationship(type: "INVITED_TO", direction: OUT)
    email: String!
}

And the following database setup:

CREATE (:Group { id: "an-id", name: "groupymcgroupface" });

The following query should pass authorization. Note that an invitee is created and connected to both Groups (existing and newly created). The authorization rule should be executed at the end and pass:

mutation {
    createGroup(
        input: [
            {
                name: "My Name"
                invitees: {
                    create: [
                        {
                            node: {
                                email: "an email"
                                group: { connect: [{ where: { node: { id_EQ: "an-id" } } }] }
                            }
                        }
                    ]
                }
            }
        ]
    ) {
        groups {
            invitees {
                email
            }
        }

This query instead fails, because the authorization check where: {node: {invitees_SOME: { email: {eq: "an email"}}}} is done before the connection is done in the Cypher

[neo4j-team-graphql]

We've been able to confirm this bug using the steps to reproduce that you provided - many thanks @angrykoala! 🙏 We will now prioritise the bug and address it appropriately.