UNAUTHORIZED exception thrown in GraphQLServletContextBuilder would end in 500 error

[williamwjs]

I am currently checking for authorization when building the context:

public class GraphQLServletContextBuilderImpl implements GraphQLServletContextBuilder {
  @Override
  public GraphQLContext build(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
    String authorizationValue = httpServletRequest.getHeader(Constants.AUTHORIZATION_HEADER);
    if (/*not authorized*/) {
      throw new ResponseStatusException(HttpStatus.UNAUTHORIZED);
    }
    ...
  }
}

However, due to the code in HttpRequestHandlerImpl.java, the 401 error here would be translated to 500 error.

Do you think we should change HttpRequestHandlerImpl.java to also catch ResponseStatusException to throw as correct error code? or any of you feel what I did in GraphQLServletContextBuilder is not correct?

Thank you!

[oliemansm]

I'd introduce a WebFilter to handle the authorization check like Spring Security does it when using the Spring ecosystem. That filter is executed before it even hits the GraphQL request processing. It'll then return a response status code of 401 or 403 outside of the GraphQL spec.

If you want to keep it inside the GraphQL spec then I'd throw a GraphQLException instead with a proper message to keep it the GraphQL way. Which is status 200 with errors field populated in the response.

I don't think the 500 error is correct tbh, but recent changes/fixes might have already corrected that.

[williamwjs]

Thank you!