Open SupImDos opened 1 month ago
Hey @SupImDos ,
I see your point and I totally agree with you!
Since you already opened a PR recently and are somewhat more familiar with the code, do you want to try to open a PR to solve this? You can ping me on discord if you need any help with this.
Otherwise I'll try to tackle this once I get some spare time
Overview
The parsing and validation of Relay global IDs trusts the input too much. Malformed payloads can be constructed to cause various exceptions which precipitate in error messages that expose various levels of implementation details.
Describe the Bug
Global IDs appear to be parsed and validated slightly differently depending on the context in which they are used. As such, I've investigated providing malformed global IDs in the following contexts:
id
provided to retrieve the instance inupdate
/delete
CUD mutationsid
provided as input for related fields increate
/update
CUD mutationsThe current behaviour for these contexts is outlined in the tables below:
Scenario 1: The
id
provided to retrieve the instance inupdate
/delete
CUD mutations<Correct Model> matching query does not exist.
Field 'id' expected a number but got 'Garbage'.
Cannot resolve. GlobalID requires <Correct Model>, received <Incorrect Model Instance>. Verify that the supplied ID is intended for this Query/Mutation/Subscription.
<Incorrect Model> matching query does not exist.
Field 'id' expected a number but got 'Garbage'.
Cannot resolve. GlobalID requires a GraphQL type, received ``Garbage``.
Expected value of type 'GlobalID!', found \"R2FyYmFnZQ==\"; ['Garbage'] expected to contain only 2 items
Expected value of type 'GlobalID!', found \"\"; [''] expected to contain only 2 items
Scenario 2: The
id
provided as input for related fields increate
/update
CUD mutations<Correct Model> matching query does not exist.
Field 'id' expected a number but got 'Garbage'.
An unknown error occurred.
assert
here<Incorrect Model> matching query does not exist.
Field 'id' expected a number but got 'Garbage'.
Cannot resolve. GlobalID requires a GraphQL type, received ``Garbage``.
Expected value of type 'GlobalID!', found \"R2FyYmFnZQ==\"; ['Garbage'] expected to contain only 2 items
Expected value of type 'GlobalID!', found \"\"; [''] expected to contain only 2 items
Extra notes
An extra factor to consider here is which of these cause errors handled by
handle_django_errors=True
and which don't.Currently, the errors which result in "
<Model> matching query does not exist.
" messages (i.e.,ObjectDoesNotExist
exceptions) result in anOperationInfo
result, whereas the others are top-level GraphQL errors.It would be convenient if the errors precipitating from these malformed global IDs were consistent.
Expected Behaviour
I would expect the parsing and validation of global IDs to be more strict and not trust the input as much as it does now. In particular:
System Information
Upvote & Fund