glye
commented
1 year ago I'm closing this, as given the tag list it looks like 0.13 is dead. Continued for 0.15 in https://github.com/overblog/GraphQLBundle/pull/1131, with an improvement.
Closed glye closed 1 year ago
glye
commented
1 year ago I'm closing this, as given the tag list it looks like 0.13 is dead. Continued for 0.15 in https://github.com/overblog/GraphQLBundle/pull/1131, with an improvement.
(There is a 0.15 port at https://github.com/overblog/GraphQLBundle/pull/1131 Unsure if this will be accepted, will add doc and possibly tests if there is some approval. )
Exceptions and specifically stack traces should not be shown in production. This bundle has a customisable error handler, but as the documentation states: "Only query parsed error won't be replaced.". I could make my own
Parseroverride class which catches the exceptions in prod mode, but then how can I produce a usable JSON response? I needed to modify theGraphControllerto do that.The fix is to check
kernel.debugand catch bad request exceptions. If debug mode is enabled, it rethrows the exception (i.e. works as before). If disabled (prod mode), it instead returns a blank JsonResponse with HTTP 400 Bad Request status code (like the 405 response above it). The simplest manual test is to accessexample.com/graphqlin a browser, in debug and prod modes.Option: As is, the PR returns an empty HTTP 400 response. It might be good to keep the exception message, and just remove the stack trace. I don't know if it's as simple as new JsonResponse($e->getMessage(), 400) because it's a HttpResponse. Would need to see how other errors are modeled here and do something similar. Or maybe if there's a handler displaying that exception it should just display $e->getMessage() instead of (string)$e? Just guessing here. Please let me know if you know the answer.
If rejected, please let me know if you can see ways of doing this in my project without modifying your bundle. Thanks!
Related: It would also be nice to disable introspection in prod mode by default, like shown in the doc. But since it hasn't been done yet, I assume the maintainers aren't keen on it.