-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ForbiddenError does not return 403 status code #1512
Comments
This is by design, as noted by this comment: apollo-server/packages/apollo-server-core/src/runHttpQuery.ts Lines 139 to 149 in 2d1544d
Currently we return a I'm going to close this issue now, but feel free to submit a PR with this change if you still need it! |
Just to add to the above, please also see #1709 (comment) for an example that shows how you can use |
What would be the best approach on the client side for differentiating between what would have been a 403 or 401, if it's all a 400? Edit: |
Simplified code:
This correctly fails the request:
However it does so with HTTP response code 400, instead of the 403 I was expecting. Now in other threads I've seen the argument that "this is not the GraphQL way to rely on HTTP response codes". However, I'm failing at the context creation level, not the resolver level. So it is a total request failure, otherwise it would also give a 200 with an errors array.
The information is also important to me on the client side. When parsing the JWT in Passport before the request is handed to Apollo, I throw a 401 if the JWT is expired, as that is correct HTTP semantic for "your request failed now, but you may retry it with a fresh token". While a missing OAuth scope simply means "your request will never work until you change something elsewhere". So I should be able to differentiate between those response codes on the server so I can act correctly on them elsewhere.
The text was updated successfully, but these errors were encountered: