Open tarazou9 opened 1 year ago
seantleonard
commented
1 year ago Is this for GraphQL? We've utilized this working spec for GraphQL over HTTP to help guide our approach to response codes that might not be handled by Hot Chocolate: https://github.com/graphql/graphql-over-http/blob/main/spec/GraphQLOverHTTP.md#body
michaelstaib
commented
1 year ago Hot Chocolate 13 is fully compliant with the new graphql over HTTP spec. Hot Chocolate 12 supports the legacy spec version which will become invalid with the watershed 1st January 2025.
With 13 you can switch between the legacy mode and the new spec.
Mathos1432
commented
1 year ago We're seeing cases where DAB returns 500 and inside the body is the AUTH_NOT_AUTHENTICATED code. We're wondering if this is expected or if it should instead be returning a 403 directly?
Response Status Code: InternalServerError, Error: {"errors":[{"message":"The current user is not authorized to access this resource.","locations":[{"line":2,"column":5}],"path":["markets"],"extensions":{"code":"AUTH_NOT_AUTHENTICATED"}}]}
seantleonard
commented
1 year ago @mathos1432 From HotChocolate v12, it looks like 500 is returned when there is only an Error field in the GraphQL response. Do you have an example of the request that returns that auth error?
It depends ... and this is still a discussion in the work group regarding the status code.
In general we follow the facbook style of this where 200 is returned in most cases.
500: The response has only errors ...
{ errors: [] }or data is null{ errors: [] data: null }400: Request cannot be parsed or Validation Failed 200:{ errors: [] data: { ... } }or{ data: { ... } }At the moment there already is a GraphQL over HTTP spec draft that covers this.
In the case of missing "X-MS-CLIENT-PRINCIPAL" or query entity requires role more than anonymous, it's currently returning hot chocolate error, which is 500 with Error Code AUTH_NOT_AUTHENTICATED, it should return 403 instead.
Below are the current status code the Engine is returning after testing.