Invalid GraphQL requests must result in HTTP 400 responses #568

bclozel · 2022-12-07T16:34:11Z

As explained in the GraphQL over HTTP spec:

If the GraphQL response does not contain the {data} entry then the server MUST reply with a 4xx or 5xx status code as appropriate.

Note: The GraphQL specification indicates that the only situation in which the GraphQL response does not include the {data} entry is one in which the {errors} entry is populated.

If the GraphQL request is invalid (e.g. it is malformed, or does not pass validation) then the server SHOULD reply with 400 status code.

Currently Spring for GraphQL responds with an HTTP 200 OK response in this case:

{
  "errors": [
    {
      "message": "Validation error (FieldUndefined@[spring]) : Field 'spring' in type 'Query' is undefined",
      "locations": [
        {
          "line": 2,
          "column": 3
        }
      ],
      "extensions": {
        "classification": "ValidationError"
      }
    }
  ]
}

The text was updated successfully, but these errors were encountered:

erwinc1 · 2022-12-08T13:31:08Z

If you example response is the complete response you got, then "data" block is missing so this must (as opposed to your title) resolve in a 4xx or 5xx according to your citation, am I right?

bclozel · 2022-12-08T13:38:32Z

@erwinc1 Yes. I've updated the title.
We discussed this issue this morning and we are pausing it to get some clarification about this. Other issue comments seem to contradict this statement in the spec.

bclozel · 2023-02-14T16:42:12Z

I'm closing this issue as this PR clarifies the fact that only requests that cannot be parsed should result in 4xx/5xx response status codes.

benjie · 2023-02-14T17:08:37Z

Just to add "from the horse's mouth" to this:

If the GraphQL response does not contain the {data} entry then the server MUST reply with a 4xx or 5xx status code as appropriate.

This is still true for responses that are served using the application/graphql-response+json media type.

Note: all servers are expected to support the application/graphql-response+json media type by 1st Jan 2025, and clients should start adding it to their Accept headers now so that they can get the goodness of HTTP status codes if the server supports them, without the ambiguities inherent in using HTTP status codes with legacy GraphQL-over-HTTP.

only requests that cannot be parsed should result in 4xx/5xx response status codes.

This is true for responses using the application/json legacy media type only.

bclozel added type: bug A general bug in: web Issues related to web handling for: team-attention An issue we need to discuss as a team to make progress labels Dec 7, 2022

bclozel self-assigned this Dec 7, 2022

bclozel changed the title ~~Invalid GraphQL requests should result in HTTP 400 responses~~ Invalid GraphQL requests must result in HTTP 400 responses Dec 8, 2022

bclozel added the status: pending-design-work label Dec 8, 2022

bclozel closed this as not planned Won't fix, can't repro, duplicate, stale Feb 14, 2023

bclozel added status: invalid An issue that we don't feel is valid and removed type: bug A general bug for: team-attention An issue we need to discuss as a team to make progress status: pending-design-work labels Feb 14, 2023

rstoyanchev mentioned this issue Aug 29, 2023

Not able to get Spring GraphQL adhere to GraphQL Over Http Spec #783

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Invalid GraphQL requests must result in HTTP 400 responses #568

Invalid GraphQL requests must result in HTTP 400 responses #568

bclozel commented Dec 7, 2022

erwinc1 commented Dec 8, 2022

bclozel commented Dec 8, 2022

bclozel commented Feb 14, 2023

benjie commented Feb 14, 2023

Invalid GraphQL requests must result in HTTP 400 responses #568

Invalid GraphQL requests must result in HTTP 400 responses #568

Comments

bclozel commented Dec 7, 2022

erwinc1 commented Dec 8, 2022

bclozel commented Dec 8, 2022

bclozel commented Feb 14, 2023

benjie commented Feb 14, 2023