graphql-platform: Unauthorized on root type HTTP Status Code
With the new HTTP Spec implementation we return a 500 error when data is null.
Should we return a 403 when the errorcode is AUTH_NOT_AUTHENTICATED ?
{
"name": "ServerError",
"statusCode": 500,
"statusText": "Internal Server Error",
"bodyText": "{\"errors\":[{\"message\":\"The current user is not authorized to access this resource.\",\"locations\":[{\"line\":10,\"column\":3}],\"path\":[\"foo\"],\"extensions\":{\"code\":\"AUTH_NOT_AUTHENTICATED\"}}]}"
}
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 16 (10 by maintainers)
In my humble interpretation of the spec, if I perform a query and
2xxresponse with non nulldatain HCIf the response has Content-Type GraphQL and contains a non-null data entry, then it MUST have status code 2xx, and it SHOULD have status code 200 (Okay).from the spec2xxresponse with non nulldatahaving the partial results plus theerrorsin HCIf the response has Content-Type GraphQL and contains a non-null data entry, then it MUST have status code 2xx, and it SHOULD have status code 200 (Okay).from the spec4xxresponse with null data in HCIn case the client can not access the schema at all, the server SHOULD respond with the appropriate 4xx status code.from the spec5xxresponse with nulldataanderrorsin HCIn case of errors that completely prevent the successful execution of the request, the server SHOULD respond with the appropriate status code depending on the concrete error condition.from the spec is satisfiedhey @michaelstaib is this still being considered for V13?
My only gripe is on the last point. In the case of “authorization conditions fail for the entire query” I would say that “appropriate status code” is Unauthorized - not 500. I generally only want 500 for unexpected errors (I have a bug in my server code).