Exceptions and specifically stack traces should not be shown in production. This bundle has a customisable error handler, but as the documentation states: "Only query parsed error won't be replaced.". I could make my own Parser override class which catches the exceptions in prod mode, but then how can I produce a usable JSON response? I needed to modify the GraphController to do that.
The fix is to check kernel.debug and catch bad request exceptions. If debug mode is enabled, it rethrows the exception (i.e. works as before). If disabled (prod mode), it instead returns a blank JsonResponse with HTTP 400 Bad Request status code (like the 405 response above it). The simplest manual test is to access example.com/graphql in a browser, in debug and prod modes.
Option: As is, the PR returns an empty HTTP 400 response. It might be good to keep the exception message, and just remove the stack trace. I don't know if it's as simple as new JsonResponse($e->getMessage(), 400) because it's a HttpResponse. Would need to see how other errors are modeled here and do something similar. Or maybe if there's a handler displaying that exception it should just display $e->getMessage() instead of (string)$e? Just guessing here. Please let me know if you know the answer.
If rejected, please let me know if you can see ways of doing this in my project without modifying your bundle. Thanks!
Related: It would also be nice to disable introspection in prod mode by default, like shown in the doc. But since it hasn't been done yet, I assume the maintainers aren't keen on it.
(There is a 0.15 port at https://github.com/overblog/GraphQLBundle/pull/1131 Unsure if this will be accepted, will add doc and possibly tests if there is some approval. )
Exceptions and specifically stack traces should not be shown in production. This bundle has a customisable error handler, but as the documentation states: "Only query parsed error won't be replaced.". I could make my own
Parser
override class which catches the exceptions in prod mode, but then how can I produce a usable JSON response? I needed to modify theGraphController
to do that.The fix is to check
kernel.debug
and catch bad request exceptions. If debug mode is enabled, it rethrows the exception (i.e. works as before). If disabled (prod mode), it instead returns a blank JsonResponse with HTTP 400 Bad Request status code (like the 405 response above it). The simplest manual test is to accessexample.com/graphql
in a browser, in debug and prod modes.Option: As is, the PR returns an empty HTTP 400 response. It might be good to keep the exception message, and just remove the stack trace. I don't know if it's as simple as new JsonResponse($e->getMessage(), 400) because it's a HttpResponse. Would need to see how other errors are modeled here and do something similar. Or maybe if there's a handler displaying that exception it should just display $e->getMessage() instead of (string)$e? Just guessing here. Please let me know if you know the answer.
If rejected, please let me know if you can see ways of doing this in my project without modifying your bundle. Thanks!
Related: It would also be nice to disable introspection in prod mode by default, like shown in the doc. But since it hasn't been done yet, I assume the maintainers aren't keen on it.