ForbiddenError does not return 403 status code

[curry684]

Simplified code:

const {ApolloServer, ForbiddenError} = require('apollo-server-koa');

new ApolloServer({
          typeDefs,
          resolvers,
          context: async ({ctx, connection}) => {
              const user = connection ? connection.context.user : ctx.state.user;
              if (!user.scopes || !user.scopes.includes('api:read')) {
                  throw new ForbiddenError('Your token does not have required scope "api:read"');
              }
              return {user};
          },
});

This correctly fails the request:

{
  "error": {
    "errors": [
      {
        "message": "Context creation failed: Your token does not have required scope \"api:read\"",
        "extensions": {
          "code": "FORBIDDEN",
          "exception": {
            "stacktrace": [
              "ForbiddenError: Context creation failed: Your token does not have required scope \"api:read\"",
              "    at ApolloServer.context (...)",
....

However it does so with HTTP response code 400, instead of the 403 I was expecting. Now in other threads I've seen the argument that "this is not the GraphQL way to rely on HTTP response codes". However, I'm failing at the context creation level, not the resolver level. So it is a total request failure, otherwise it would also give a 200 with an errors array.

The information is also important to me on the client side. When parsing the JWT in Passport before the request is handed to Apollo, I throw a 401 if the JWT is expired, as that is correct HTTP semantic for "your request failed now, but you may retry it with a fresh token". While a missing OAuth scope simply means "your request will never work until you change something elsewhere". So I should be able to differentiate between those response codes on the server so I can act correctly on them elsewhere.

[trevorblades]

This is by design, as noted by this comment:

apollo-server/packages/apollo-server-core/src/runHttpQuery.ts

Lines 139 to 149 in 2d1544d

	// For errors that are not internal, such as authentication, we
	// should provide a 400 response
	if (
	e.extensions &&
	e.extensions.code &&
	e.extensions.code !== 'INTERNAL_SERVER_ERROR'
	) {
	return throwHttpGraphQLError(400, [e], options);
	} else {
	return throwHttpGraphQLError(500, [e], options);
	}

Currently we return a 500 for internal server errors, and 400 for everything else. Given the code in this function, it would be possible to account for other GraphQL error codes (FORBIDDEN for example), and return a specific status code for each.

I'm going to close this issue now, but feel free to submit a PR with this change if you still need it!

[hwillson]

Just to add to the above, please also see #1709 (comment) for an example that shows how you can use didEncounterErrors to customize the response HTTP status code.

[willrust]

What would be the best approach on the client side for differentiating between what would have been a 403 or 401, if it's all a 400?

Edit:
Nevermind. Iterate over errors, checking the code value of each. Full Stack Error Handling with GraphQL and Apollo