-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(audits/server): Test that null
is allowed for body parameters
#28
Conversation
As per spec: > Note: Specifying `null` in JSON (or equivalent values in other > formats) as values for optional request parameters is equivalent to > not specifying them at all. Fixes #26.
(reopened from #27 as a non-forked PR so the workflows work better) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
🎉 This PR is included in version 1.9.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
@mcollina FYI this removes mercurius from the passing list because it chokes on (Technically it should remove |
In v4.2.0 (#7171) we changed POST handling to be stricter if `operationName`, `variables`, or `extensions` were provided with a surprising data type. This was intended to pass more of the optional recommendations of the GraphQL Over HTTP spec as tested by the graphql-http audit suite. However, we were overzealous and also banned providing these parameters as an explicit `null`, which is documented by the spec as legitimate. (And some clients, such as FIXME, actually send `variables: null` in practice.) We added explicit tests for this to the `graphql-http` test suite (graphql/graphql-http#28) and this commit allows these `null`s again. Fixes #7200.
In v4.2.0 (#7171) we changed POST handling to be stricter if `operationName`, `variables`, or `extensions` were provided with a surprising data type. This was intended to pass more of the optional recommendations of the GraphQL Over HTTP spec as tested by the graphql-http audit suite. However, we were overzealous and also banned providing these parameters as an explicit `null`, which is documented by the spec as legitimate. (And some clients, such as FIXME, actually send `variables: null` in practice.) We added explicit tests for this to the `graphql-http` test suite (graphql/graphql-http#28) and this commit allows these `null`s again. Fixes #7200.
In v4.2.0 (#7171) we changed POST handling to be stricter if `operationName`, `variables`, or `extensions` were provided with a surprising data type. This was intended to pass more of the optional recommendations of the GraphQL Over HTTP spec as tested by the graphql-http audit suite. However, we were overzealous and also banned providing these parameters as an explicit `null`, which is documented by the spec as legitimate. (And some clients, such as FIXME, actually send `variables: null` in practice.) We added explicit tests for this to the `graphql-http` test suite (graphql/graphql-http#28) and this commit allows these `null`s again. Fixes #7200.
Are we certain that this is a requirement we want in the spec? I'm definitely open to removing it if it's causing compatibility issues, I'm not even sure that |
FWIW it does appear that some clients like https://github.com/graphql-rust/graphql-client send |
Ah yes, we definitely want existing clients to continue to work, thanks for the reference @glasser. In which case, this rule should increase interoperability and we'll maintain it 👍 |
As per spec:
Fixes #26.