Broken GraphQL endpoint on last Strapi versions #19073
Comments
daniele-orlando
changed the title
|
This needs to be determined by product if it's intended as generally it's anti-pattern and considered a bad practice to use GraphQL over GET requests. As far as I'm aware the GET route was only ever intended for use with the playground and actual queries/mutations -should always- be done over POST. |
derrickmehaffy
added
issue: bug
|
Related discussion: graphql/graphql-over-http#123 |
|
Likewise specific graphql specification does not require supporting GET: https://graphql.github.io/graphql-over-http/draft/#sec-Request |
|
Using GraphQL over GET requests is not an anti-pattern at all. I think you confused mutations which must use POST method. GraphQL queries instead should use an idempotent verb like GET and, in order to be cached by the browser, they must use an idempotent verb like GET. POST requests can not be cached by browsers. A GraphQL server should accept GET and POST requests and should not enforce one method over the other, because it's up to the client to decide the best strategy for its use cases.
My queries are served over GET method using Cache-Control, ETag and Last-Modified headers, which make them cachable by the browser. Switching to POST request would break completely the browser caching on any browser, which is not acceptable. |
|
Facing the exactly same issue. I was trying to implement the
It seems weird that:
Maybe expected features of graphQL is not correctly understood by Apollo & Strapi ? |
|
Anyone from the Strapi team can give an update about the planned timeline for the resolution of this bug, please? cc: @Eventyret |
|
@Eventyret can you increase the severity from |
derrickmehaffy
added
severity: medium
|
We can raise it to medium but we still need clarification from our product team if GET requests were ever intended to work as from what I understood they were not. We specially advise users and especially EE customers to use REST where possible if caching is important. |
|
Hi dear Strapi team, do we have any update about the resolution of this issue? |
|
GET requests are not supported in Strapi 4 and have been added in Strapi 5 |
|
Actually it looks like a community pr was accepted in 4.22.0 to allow this in v4, so marking as closed. |
Bug report
Required System information
Describe the bug
In last Strapi 4 versions, GraphQL queries sent over HTTP GET requests receive a
Forbidden accesserror.Everything works as expected running the same queries over POST requests.
The GraphQL endpoint is
/graphqland serves successfully POST queries/mutations and the Playground Web Interface.This is NOT a feature request, but a regression on the GET endpoint after commit 4436f59. It was working as expected until version 4.3. Upgrading to last Strapi version broke my GraphQL ecommerce and I had to rollback to previous version.
Steps to reproduce the behavior
Expected behavior
I should receive the GraphQL data as response.
Actual behavior
I receive the error:
{ "errors": [ { "message": "Forbidden access", "extensions": { "error": { "name": "ForbiddenError", "message": "Forbidden access", "details": {} }, "code": "FORBIDDEN" } } ], "data": { "pages": null } }Additional context
The issue is related to this portion of code that skips the authentication logic.
strapi/packages/plugins/graphql/server/bootstrap.js
Line 110 in dc96169
Removing this block of code, the GET requests work as expected and the Playground is still reachable on the same endpoint.
The text was updated successfully, but these errors were encountered: