Does the HTTP server return valid 403 responses for disallowed queries?

[craigem]

Environment

IOHK mainnet

Platform

• NixOS

Steps to reproduce the bug

Graphql only allows specific queries, otherwise nginx returns 5XX on disallowed queries... It would be nice to find a way to configure things so disallowed graphql queries return 400 unauthorized rather than 5XX, because we are getting alerts across most environments because of disallowed queries to graphql returning 5XX. There are no alerts triggered if the response is 400, and we really don't care to know that people are querying disallowed graphql endpoints anyway.

What is the expected behaviour?

A 403 or similar response.

[rhyslbw]

It should be returning the expected response, but I can't point at a test to assert this fact, so I will leave this open until this changes.

[rhyslbw]

Ok, looks like it's not. Will fix

[sevanspowell]

I've just confirmed that running a bad request directly against the cardano-graphql service running on the cardano-testnet returns 500 instead of the expected 40x error code:

# curl 'http://127.0.0.1:3100/graphql' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: https://explorer.cardano.org/graphql' -H 'content-type: application/json' -H 'Origin: https://explorer.cardano.org' -H 'Connection: keep-alive' --data '{"operationName":null,"variables":{},"query":"{\n  stakez\n}\n"}' --verbose
*   Trying 127.0.0.1:3100...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 3100 (#0)
> POST /graphql HTTP/1.1
> Host: 127.0.0.1:3100
> Accept-Encoding: deflate, gzip
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0
> Accept: */*
> Accept-Language: en-US,en;q=0.5
> Referer: https://explorer.cardano.org/graphql
> content-type: application/json
> Origin: https://explorer.cardano.org
> Connection: keep-alive
> Content-Length: 64
> 
* upload completely sent off: 64 out of 64 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 500 Internal Server Error
< X-Powered-By: Express
< Access-Control-Allow-Origin: https://explorer.cardano.org
< Vary: Origin
< Content-Type: application/json; charset=utf-8
< Content-Length: 949
< ETag: W/"3b5-Q49DtrVvRdoo9lj5OizWwJ+LeC0"
< Date: Fri, 31 Jul 2020 06:56:13 GMT
< Connection: keep-alive
< 
{"errors":[{"message":"Operation is forbidden","extensions":{"code":"FORBIDDEN","exception":{"stacktrace":["ForbiddenError: Operation is forbidden","    at Object.parsingDidStart (/nix/store/zanbpacv7p1860lxn978pgrlfb2wd43k-cardano-graphql-2.0.0/packages/server/dist/apollo_server_plugins/whitelist_plugin.js:14:31)","    at Dispatcher.invokeDidStartHook (/nix/store/zanbpacv7p1860lxn978pgrlfb2wd43k-cardano-graphql-2.0.0/node_modules/apollo-server-core/dist/utils/dispatcher.js:56:43)","    at Object.<anonymous> (/nix/store/zanbpacv7p1860lxn978pgrlfb2wd43k-cardano-graphql-2.0.0/node_modules/apollo-server-core/dist/requestPipeline.js:108:56)","    at Generator.next (<anonymous>)","    at fulfilled (/nix/store/zanbpacv7p1860lxn978pgrlfb2wd43k-cardano-graphql-2.0.0/node_modules/apollo-server-core/dist/requestPipeline.js:5:58)","    at runMicrotasks (<anonymous>)","    at processTicksAndRejections (internal/process/task_queues.js:94:5)"]}}}]}
* Connection #0 to host 127.0.0.1 left intact