Skip to content

Commit fabd9b3

Browse files
ThomasObenaussetnicka
authored andcommitted
Fix: ensure that status codes are checked in any case
If this check is missing then responses from the server with the graphql end-point that are not compliant to the graphql spec will be just ignored (not treated as an error). One reason for this behavior of the server could be (e.g. springboot) that the request is already rejected before it reaches the graphql end-point due to missing authorization. In this case the security filter that does not know about graphql responds with an error that is not compliant to the GQL spec. The same situation would be in case of a 404, 403 etc.
1 parent 3a92531 commit fabd9b3

File tree

1 file changed

+25
-0
lines changed

1 file changed

+25
-0
lines changed

graphql.go

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,8 @@ func (c *Client) runWithJSON(ctx context.Context, req *Request, resp interface{}
137137
return errors.Wrap(err, "reading body")
138138
}
139139
c.logf("<< %s", buf.String())
140+
bodyStr := buf.String()
141+
140142
if err := json.NewDecoder(&buf).Decode(&gr); err != nil {
141143
if res.StatusCode != http.StatusOK {
142144
return fmt.Errorf("graphql: server returned a non-200 status code: %v", res.StatusCode)
@@ -147,6 +149,17 @@ func (c *Client) runWithJSON(ctx context.Context, req *Request, resp interface{}
147149
// return first error
148150
return gr.Errors[0]
149151
}
152+
153+
// Handle the http status codes before handling response from the graphql endpoint.
154+
// If this is not done then !200 status codes will just be ignored without the caller even noticing, instead
155+
// the caller just gets back an empty result set, suggesting that the query did not found any result.
156+
// The reason for this is that for example in case of a 404,401,403 etc. the request is rejected before
157+
// it even hits an graphql handler on the server side.
158+
// As a result the response returned by this non graphql component is not compliant to the graphql spec.
159+
if res.StatusCode != http.StatusOK {
160+
return fmt.Errorf("graphql: server returned a non-200 status code: %v - %v", res.StatusCode, bodyStr)
161+
}
162+
150163
return nil
151164
}
152165

@@ -208,6 +221,8 @@ func (c *Client) runWithPostFields(ctx context.Context, req *Request, resp inter
208221
return errors.Wrap(err, "reading body")
209222
}
210223
c.logf("<< %s", buf.String())
224+
bodyStr := buf.String()
225+
211226
if err := json.NewDecoder(&buf).Decode(&gr); err != nil {
212227
if res.StatusCode != http.StatusOK {
213228
return fmt.Errorf("graphql: server returned a non-200 status code: %v", res.StatusCode)
@@ -218,6 +233,16 @@ func (c *Client) runWithPostFields(ctx context.Context, req *Request, resp inter
218233
// return first error
219234
return gr.Errors[0]
220235
}
236+
237+
// Handle the http status codes before handling response from the graphql endpoint.
238+
// If this is not done then !200 status codes will just be ignored without the caller even noticing, instead
239+
// the caller just gets back an empty result set, suggesting that the query did not found any result.
240+
// The reason for this is that for example in case of a 404,401,403 etc. the request is rejected before
241+
// it even hits an graphql handler on the server side.
242+
// As a result the response returned by this non graphql component is not compliant to the graphql spec.
243+
if res.StatusCode != http.StatusOK {
244+
return fmt.Errorf("graphql: server returned a non-200 status code: %v - %v", res.StatusCode, bodyStr)
245+
}
221246
return nil
222247
}
223248

0 commit comments

Comments
 (0)