Allow HTTP401 from "context creation failed" (schema authorization)

[elnygren]

Problem

Apollo docs suggest doing "schema authorization" in the context function. However, when you throw an AuthenticationError in the context function, the HTTP status is set to 400 and haven't found a way to customise this behavior. I'd like a 401 in this situation.

The relevant code can be found from:

apollo-server/packages/apollo-server-core/src/runHttpQuery.ts

Lines 134 to 152 in 2d1544d

	if (typeof options.context === 'function') {
	try {
	(options.context as () => never)();
	} catch (e) {
	e.message = `Context creation failed: ${e.message}`;
	// For errors that are not internal, such as authentication, we
	// should provide a 400 response
	if (
	e.extensions &&
	e.extensions.code &&
	e.extensions.code !== 'INTERNAL_SERVER_ERROR'
	) {
	return throwHttpGraphQLError(400, [e], options);
	} else {
	return throwHttpGraphQLError(500, [e], options);
	}
	}
	}

Solution?

Plugins?

Allow a similar solution as described in #1709 (comment) (requestDidStart + didEncounterErrors)

Customise apollo-server-express behavior?

It seems I should be able to customise behavior at the express<->Apollo level, here:

apollo-server/packages/apollo-server-express/src/expressApollo.ts

Lines 50 to 65 in bf0cd6b

	(error: HttpQueryError) => {
	if ('HttpQueryError' !== error.name) {
	return next(error);
	}
	if (error.headers) {
	for (const [name, value] of Object.entries(error.headers)) {
	res.setHeader(name, value);
	}
	}
	res.statusCode = error.statusCode;
	res.write(error.message);
	res.end();
	},
	);

Should full schema auth happen elsewhere?

Different web servers can probably check for auth token / cookie before routing to POST /graphql

Hacky solution for Express

/*
Not included:
- jwt middleware adds req.jwtToken and req.jwtPayload
- apolloServer = new ApolloServer(...)

Note: the order of the three calls here matters.
*/

// before any apollo code, check JWT 
app.post('/graphql', (req, res, next) => {
  if (!req.jwtToken || !req.jwtPayload || !req.jwtPayload.roles.includes('user')) {
    throw new AuthenticationError('unauthorized') // Apollo's error but we could also use our own
  }
  next()
})

apolloServer.applyMiddleware({ app, path: '/graphql' })

// error middleware that handles AuthenticationError by manually constructing a graphql error
app.use((err, req, res, next) => {
  if (err instanceof AuthenticationError) {
    res.status(401).send({
      data: null,
      errors: [
        {
          message: err.message,
          locations: err.locations || [],
          extensions: err.extensions || [],
          path: err.path || [],
        },
      ],
    })
  } else {
    next(err)
  }
})

[abernix]

Please see my suggestion in #1709 (comment), which should now be possible thanks to #2719.

[Karnich]

@abernix as fare as i can tell, if you throw the error during context creation you don't enter the apollo server pipeline and there fore you can't catch the error in didEncounterErrors

[loganbentley]

@abernix yeah, I'm running into this as well. It appears that if you throw the error during context creation it does not enter the apollo server pipeline

[Yunoo]

@abernix Same problem here. Errors thrown during the context creation do not hit didEncounterErrors at all.

[DavidFlorin]

Same problem here. If we do the authorization during the context creation, didEncounterErrors is not called

[lewispham]

I think the best solution is to make all errors thrown in context creation fall through formatError. The current behavior is a bug imho.

[abernix]

Linking this to: #3223