-
Notifications
You must be signed in to change notification settings - Fork 2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: Introduce status code regression mitigation (#7465)
Apollo Server v4 introduced a regression with respect to invalid `variables` and http status codes. AS4 incorrectly started responding with a 200 status code, where AS3 would respond with a 400 when the provided variables object failed variable coercion (during `graphql-js` `execute`). Providing the following config to your AS4 constructor options will opt-in to the regression mitigation: ```ts new ApolloServer({ // ... status400WithErrorsAndNoData: true, }) ``` Fixes #7462 Related discussion #7460 --------- Co-authored-by: Stephen Barlow <[email protected]> Co-authored-by: David Glasser <[email protected]>
- Loading branch information
1 parent
a200e55
commit 1e80814
Showing
8 changed files
with
153 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
--- | ||
'@apollo/server': minor | ||
--- | ||
|
||
Introduce new opt-in configuration option to mitigate v4 status code regression | ||
|
||
Apollo Server v4 accidentally started responding to requests with an invalid `variables` object with a 200 status code, where v3 previously responded with a 400. In order to not break current behavior (potentially breaking users who have creatively worked around this issue) and offer a mitigation, we've added the following configuration option which we recommend for all users. | ||
|
||
```ts | ||
new ApolloServer({ | ||
// ... | ||
status400ForVariableCoercionErrors: true, | ||
}); | ||
``` | ||
|
||
Specifically, this regression affects cases where _input variable coercion_ fails. Variables of an incorrect type (i.e. `String` instead of `Int`) or unexpectedly `null` are examples that fail variable coercion. Additionally, missing or incorrect fields on input objects as well as custom scalars that throw during validation will also fail variable coercion. For more specifics on variable coercion, see the "Input Coercion" sections in the [GraphQL spec](https://spec.graphql.org/June2018/#sec-Scalars). | ||
|
||
This will become the default behavior in Apollo Server v5 and the configuration option will be ignored / no longer needed. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters