Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strapi (v4) should handle GraphQL queries over GET HTTP requests #18979

Closed
daniele-orlando opened this issue Dec 5, 2023 · 2 comments
Closed

Strapi (v4) should handle GraphQL queries over GET HTTP requests #18979

daniele-orlando opened this issue Dec 5, 2023 · 2 comments
Labels
issue: feature request Issue suggesting a new feature

Comments

@daniele-orlando
Copy link

daniele-orlando commented Dec 5, 2023
edited

Bug report

Required System information

  • Strapi version: 4.15.5

Describe the bug

In Strapi 4, GraphQL queries sent over HTTP GET requests receive a Forbidden access error.
Everything works as expected running the same queries over POST requests.

The GraphQL endpoint is /graphql and serves successfully POST queries/mutations and the Playground Web Interface.

Steps to reproduce the behavior

  1. Open a browser console
  2. Run
fetch("https://<HOST>/graphql?query=query%7Bpages%7Bdata%7Bid%20attributes%7Bslug%7D%7D%7D%7D", {
  "method": "GET",
}).then(it => it.json()).then(console.log)

Expected behavior

I should receive the GraphQL data as response.

Actual behavior

I receive the error:

{
    "errors": [
        {
            "message": "Forbidden access",
            "extensions": {
                "error": {
                    "name": "ForbiddenError",
                    "message": "Forbidden access",
                    "details": {}
                },
                "code": "FORBIDDEN"
            }
        }
    ],
    "data": {
        "offers": null
    }
}

Additional context

The issue is related to this portion of code that skips the authentication logic.

strapi/packages/plugins/graphql/server/bootstrap.js

Line 110 in dc96169

if (ctx.request.method === 'GET') return next();

Removing this block of code, the GET requests work as expected and the Playground is still reachable on the same endpoint.

-          // allow graphql playground to load without authentication
-          if (ctx.request.method === 'GET') return next();
@gauravruhela07
Copy link

@daniele-orlando I want to work on this issue, can you please assign it to me? Thanks.

@derrickmehaffy derrickmehaffy added the issue: feature request Issue suggesting a new feature label Dec 5, 2023
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 5, 2023

This is a templated message

Hello @daniele-orlando,

First thank you for reporting this feature need.
To manage feature requests and the Strapi roadmap, we are using Canny.
You will be able to access the Public Roadmap here: https://feedback.strapi.io.

In your message, please mention the URL of this thread in case some messages are posted there. But the most important is to have your feedback posted on our feedback/roadmap site.
The product team is reading EVERY comment, that really helps us to develop the project in the right direction. We are keeping all feature requests and project insights in one place, our feedback website.

In order to keep our GitHub issues clean and for valid bug reports this issue will be marked as closed, but please feel free to continue the discussion with other community members here.

Thank you for your insight and have a good day.

@github-actions github-actions bot closed this as completed Dec 5, 2023
@innerdvations innerdvations mentioned this issue Mar 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue: feature request Issue suggesting a new feature
Projects
Support team
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@daniele-orlando @derrickmehaffy @gauravruhela07