Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not GraphQL over http spec compliant for failure to coerce variables #3178

Closed
wheresrhys opened this issue Feb 1, 2024 · 5 comments
Closed

Not GraphQL over http spec compliant for failure to coerce variables #3178

wheresrhys opened this issue Feb 1, 2024 · 5 comments

Comments

@wheresrhys
Copy link

Describe the bug

You appear to have implemented the behaviour for invalid parameters for the variable coercion failure case i.e. you are responding with a 400 when it should be a 200.

Your Example Website or App

https://codesandbox.io/p/sandbox/magical-kirch-5z4z8c

Steps to Reproduce the Bug or Issue

See code sandbox link above

Expected behavior

Expected a 200 but received 400

Screenshots or Videos

No response

Platform

  • graphql-yoga: 5.0.1

Additional context

Discussion on spec here See discussion here graphql/graphql-over-http#288
@EmrysMyrddin
Copy link
Collaborator

Hi!
Thank you for the report!

It appears that your reproduction sandbox doesn't exists.

But I can suppose what is the problem here. This behavior only applies to spec compliant requests, which have an accept header value of 'application/json'.

The yoga server tested against the graphql-http spec test suite, so it should be very compliant to the spec :-)

I'm closing this, but if you still think something is wrong, don't hesitate to comment or reopen with an update reproduction case :-)

@wheresrhys
Copy link
Author

How frustrating - took ages to create the sandbox.

Leaving that aside, have you read the discussion I linked to graphql/graphql-over-http#288. The basic point is that yoga implements 400 for variables that don't validate against a GraphQL document, whereas the spec writers are quite clear that the 400 is meant only for scenarios where the variables provided do not comply with the general GraphQL spec of what variables can be (e.g. must be an object, not an array). Perhaps the graphql-http test suite has a mistake in it. I will raise your point with them.

@wheresrhys wheresrhys mentioned this issue Feb 11, 2024
Closed
@wheresrhys
Copy link
Author

Actually reading more about it, the graphql-http project have not actually implemented a test suite to validate against (they have only described it), so perhaps there is a mistake in the implementation of the test suite you reference.

@benjie
Copy link

benjie commented Feb 12, 2024

the graphql-http project have not actually implemented a test suite to validate against

The test suite can be found here: https://graphql-http.com/; and here's the report for graphql-yoga: https://github.com/graphql/graphql-http/tree/main/implementations/graphql-yoga

The keyword here is SHOULD, which is a recommendation rather than a requirement (see RFC2119). Returning 400 for variables that do not coerce is valid, but not preferred.

@enisdenjo
Copy link
Collaborator

enisdenjo commented Feb 21, 2024
edited
Loading

@wheresrhys this is not the case. Maybe you're mixing application/json and application/graphql-response json accept headers; whereas the former should respond with a 200 and the latter with a 400.

Both of these audits pass when using the graphql-http test suite.

Passing

[...]
53. 7B9B SHOULD use a status code of 200 on variable coercion failure when accepting application/json
60. 86EE SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response json

Also, Yoga implements the full graphql-http audit test suite as a part of its own tests. We make sure it's passing on each commit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@benjie @wheresrhys @EmrysMyrddin @enisdenjo