GraphQL errors should return HTTP status code 200 instead of 400 Bad Request

[samyonr]

While the GraphQL specification does not specify the transport layer, it seems like the de-facto standard originated in the article Serving over HTTP, which states that in most cases, 2xx status code should be used:

If a response contains a data key and its value is not null, then the server should respond with a 2xx status code for either the application/graphql-response+json or application/json media types. This is the case even if the response includes errors, since HTTP does not yet have a status code representing “partial success.” (see Status Codes)

To complicate things, 4xx and 5xx are allowed, although discouraged:

For validation errors that prevent the execution of a GraphQL operation, the server will typically send a 400 status code, although some legacy servers may return a 2xx status code when the application/json media type is used.

For legacy servers that respond with the application/json media type, the use of 4xx and 5xx status codes for valid GraphQL requests that fail to execute is discouraged but may be used depending on the implementation. Because of potential ambiguities regarding the source of the server-side error, a 2xx code should be used with this media type instead.

However, for responses with the application/graphql-response+json media type, the server will reply with a 4xx or 5xx status code if a valid GraphQL request fails to execute.

The GraphQL-over-HTTP spec draft, states more clearly that 200 should be used, see Status Codes. Here are a few examples from that draft:

Examples
The following examples provide guidance on how to deal with specific error cases when using the application/json media type to encode the response body:

JSON parsing failure
For example a POST request body of NONSENSE or {"query": (note: invalid JSON).

Requests that the server cannot interpret SHOULD result in status code 400 (Bad Request).

Invalid parameters
For example a POST request body of {"qeury": "{__typename}"} (note: typo) or {"query": "query Q ($i:Int!) { q(i: $i) }", "variables": [7]} (note: invalid shape for variables).

A request that does not constitute a well-formed GraphQL-over-HTTP request SHOULD result in status code 400 (Bad Request).

Document parsing failure
For example a POST request body of {"query": "{"}.

Requests where the GraphQL document cannot be parsed SHOULD result in status code 200 (Okay).

Document validation failure
Requests that fail to pass GraphQL validation, the server SHOULD NOT execute the request and SHOULD return a status code of 200 (Okay).

EntityGraphQL returns 400 Bad Request in case of an error. i.e., not (only?) in case of parsing failure of invalid parameters, but also in case the validation fails. The package is able to parse the request and create a proper response with an error, but the returned response uses the 400 status code. It seems like it was done deliberately: 8b012a1

This causes a problem with some client libraries, for example, StrawberryShake. The library first reads the HTTP header here:

    private async Task<GraphQLHttpResponse> ExecuteInternalAsync(
        GraphQLHttpRequest request,
        Uri requestUri,
        CancellationToken ct)
    {
        // The array writer is needed for formatting the request.
        // We keep it up here so that the associated memory is being
        // kept until the request is done.
        // DO NOT move the writer out of this method.
        using var arrayWriter = new ArrayWriter();
        using var requestMessage = CreateRequestMessage(arrayWriter, request, requestUri);
        requestMessage.Version = _http.DefaultRequestVersion;
        requestMessage.VersionPolicy = _http.DefaultVersionPolicy;
        var responseMessage = await _http
            .SendAsync(requestMessage, ResponseHeadersRead, ct)
            .ConfigureAwait(false);
        return new GraphQLHttpResponse(responseMessage);
    }

Then it throws an exception because the status code is not Success:

    /// <summary>
    /// Reads the GraphQL response as a <see cref="OperationResult"/>.
    /// </summary>
    /// <param name="cancellationToken">
    /// A cancellation token that can be used to cancel the HTTP request.
    /// </param>
    /// <returns>
    /// A <see cref="ValueTask{TResult}"/> that represents the asynchronous read operation
    /// to read the <see cref="OperationResult"/> from the underlying <see cref="HttpResponseMessage"/>.
    /// </returns>
    public ValueTask<OperationResult> ReadAsResultAsync(CancellationToken cancellationToken = default)
    {
        var contentType = _message.Content.Headers.ContentType;

        // The server supports the newer graphql-response+json media type and users are free
        // to use status codes.
        if (contentType?.MediaType.EqualsOrdinal(ContentType.GraphQL) ?? false)
        {
            return ReadAsResultInternalAsync(contentType.CharSet, cancellationToken);
        }

        // The server supports the older application/json media type and the status code
        // is expected to be a 2xx for a valid GraphQL response.
        if (contentType?.MediaType.EqualsOrdinal(ContentType.Json) ?? false)
        {
            _message.EnsureSuccessStatusCode();
            return ReadAsResultInternalAsync(contentType.CharSet, cancellationToken);
        }

        _message.EnsureSuccessStatusCode();

        throw new InvalidOperationException("Received a successful response with an unexpected content type.");
    }

Then it ignores all the content here and returns:

{
  DataFactory: {},
  Errors: [
    {
      Message: Response status code does not indicate success: 400 (Bad Request).
    }
  ]
}

So the error message, constructed with AddError via the IGraphQLValidator isn't available for the user, which makes debugging difficult.

Since switching from 400 to 200 may be considered a breaking change by some applications that use EntityGraphQL, I suggest making it opted in, via some initialization argument.

While on the matter, it's worth switching, or adding, the application/graphql-response+json mead type option, instead application/json (here: EntityGraphQLEndpointRouteExtensions.cs). Same as before, for backward compatibility, it probably should be opted in via initialization configuration.

---

BTW, it's the third ticket I've opened in the last few weeks, but that's only because I'm actively using EntityGraphQL. Thanks a lot for all the effort you are putting into this package. It works well, streamlines the development, and helps a lot - thanks!

[lukemurray]

Yep, You can change this by not using MapGraphQL and implementing the route yourself.

I do plan to fix this in 6.0 as it would be considered a breaking change. However for a 5.x release I may introduce a parameter to MapGraphQL to change the behaviour so people can adopt it sooner.

[samyonr]

Thanks, as a temporary workaround I've copied MapGraphQL from EntityGraphQLEndpointRouteExtensions.cs, left the application/json untouched (didn't change it to application/graphql-response+json) and changed the data.Errors?.Count > 0 part to be:

                if (data.Errors?.Count > 0)
                {
                    context.Response.StatusCode = StatusCodes.Status200OK;
                    data = new QueryResult(data.Errors);
                }

I didn't have to explicitly set the context.Response.StatusCode to be StatusCodes.Status200OK because it's the default, and it's not modified above (except for the return-early part), and internal implementation doesn't have access to context.Response.StatusCode, but in this case being explicit seemed right to clearly follow the standard.

I've also set data = new QueryResult(data.Errors);. According to the spec, {data} shouldn't appear for errors of type "Request errors", and it can't be null either:

Errors

The errors entry in the response is a non-empty list of errors, where each
error is a map.

If no errors were raised during the request, the errors entry should
not be present in the result.

If the data entry in the response is not present, the errors
entry in the response must not be empty. It must contain at least one error.
The errors it contains should indicate why no data was able to be returned.

If the data entry in the response is present (including if it is the value
{null}), the errors entry in the response may contain any field errors that
were raised during execution. If field errors were raised during execution, it
should contain those errors.

Request errors

Request errors are raised before execution begins. This may occur due to a parse
grammar or validation error in the requested document, an inability to determine
which operation to execute, or invalid input values for variables.

Request errors are typically the fault of the requesting client.

If a request error is raised, execution does not begin and the data entry in
the response must not be present. The errors entry must include the error.

Field errors

Field errors are raised during execution from a particular field. This may occur
due to an internal error during value resolution or failure to coerce the
resulting value.

Field errors are typically the fault of GraphQL service.

If a field error is raised, execution attempts to continue and a partial result
is produced (see Handling Field Errors).
The data entry in the response must be present. The errors entry should
include all raised field errors.

Currently, EntityGraphQL sets the {data} section in any case, but null can be returned (like in the example here) and when using StrawberryShake, the client checks the {data} part if it's available. Since normally the {data} isn't null (line in the example, Expression<Func<MyDbContext, Movie>> is translated to Movies!), the StrawberryShake client checks that the {data} isn't null, but it is, and it fails. Removing the {data} completely solves the issue.

[lukemurray]

Have added a followSpec argument to MapGraphQL extension method. Given you dug into this I would appreciate you having a quick Look over it to see if I missed anything and that it works as expected.

The code might seem weird, but it is designed to not change the current behaviour unless you set it to true. It will be cleaned up in version 6 when this becomes the default.

[samyonr]

Thanks for the update! The additions indeed look closer to the spec now, but unfortunately, I think there are still some crucial gaps concerning the spec compliance, specifically with what is returned in case of an error or partial success: a problem occurs in case a non-nullable entity is promised by the GraphQL schema, but null is returned (with the 200 OK return code).

I'm basing my understanding on what I can figure out from the spec (here, and here), and from the Strawberry Shake implementation. Looks like Strawberry Shake (the ChilliCream GraphQL Platform) did a decent job, and it's the de-facto standard of GraphQL implementation in .NET.

To showcase the issues, I've created a fork of EntityGraphQL here. In it, I've added some demo code and tests to the 200OK_spec_compliance_test branch. All changes were added in a single commit to track them more easily.

In the branch, I'm adding a new test project, EntityGraphQL.AspNet.Extra.Tests, and three additional projects that constitute the app: Tests.Entities, Tests.DataAccess, and Tests.App.Entry.

Note that to run the tests, and the app in dev mode, you have to be able to run docker (I'm using Docker Desktop on Windows). You don't need it in release mode.

Tests.App.Entry contains the Program.cs, with some seeding, GraphQL setup, a custom implementation of mine for MapGrapQL (more about it later), auth, and .http file to execute the queries against the application and the seeded DB.

Tests.Entities has some basic entities, and Tests.DataAccess has the DB setup with EF Core, including the migration.

In EntityGraphQL.AspNet.Extra.Tests, I've added some testing setup, and two sets of tests:

1. StrawberryShakeTests, which uses an auto-generated Strawberry Shake client. I'm doing snapshot testing with Verify to compare the expected and received results. The single test is executed three times:
   • Against the new default behavior followSpec = false.
   • Against the new behavior when followSpec = true.
   • Against a custom behavior that I've added with CustomMapGraphQL ("my custom implementation").
2. AuthTests that don't use StrawberryShake. I also run these against the three different implementations.

Re (1), StrawberryShakeTests:
In my custom implementation, CustomMapGraphQL, I'm (almost) always returning 200 OK, but also, I've added this line: data = new QueryResult(data.Errors);. Of course, you can't add it as is to the package implementation, but I find it important and its behavior should be extended to the general case. It seems that while {data}, according to the spec, can be null in some cases, it's not allowed in others, when it's "promised" by the server that a non-nullable entity is returned. In my case, the AddPerson mutation, according to the schema, returns a non-nullable person:

type Mutation {
  "Add person"
  addPerson(inputModel: PersonInputModel!): Person!
}

However, in the mutation implementation, I do return null:

if (inputModel.Age < 0)
{
    validator.AddError("Age must be greater than or equal to 0");
    return null;
}

That's according to the example here:

[GraphQLMutation]
public Expression<Func<MyDbContext, Movie>> AddActor(MyDbContext db, ActorArgs args, IGraphQLValidator validator)
{
  if (string.IsNullOrEmpty(args.Name))
    validator.AddError("Name argument is required");
  if (args.age <= 0)
    validator.AddError("Age argument must be positive");

  if (validator.HasErrors)
    return null;

  // do your magic here. e.g. with EF or other business logic
  var movie = db.Movies.First(m => m.Id == args.Id);
  var actor = new Person { Name = args.Name, ... };
  movie.Actors.Add(actor);
  db.SaveChanges();
  return ctx => ctx.Movies.First(m => m.Id == movie.Id);
}

To avoid returning null, I'm re-creating the return object to not include {data} at all, which is different from having {data} equal null.
With that, I'm getting this return:

{
  addPersonResult: {
    ContextData: {},
    DataFactory: {},
    Errors: [
      {
        Message: Age must be greater than or equal to 0
      }
    ],
    Extensions: {}
  },
  getPersonResult: {
    ContextData: {},
    Data: {
      People: []
    },
    DataFactory: {},
    DataInfo: {
      EntityIds: [],
      People: []
    },
    Errors: [],
    Extensions: {}
  }
}

while without it (with the current implementation of followSpec = true), I'm getting:

{
  addPersonResult: {
    ContextData: {},
    DataFactory: {},
    Errors: [
      {
        Code: SS1000,
        Exception: {
          Data: {},
          HResult: -2147467261,
          Message: Value cannot be null.,
          Source: EntityGraphQL.AspNet.Extra.Tests,
          StackTrace:
   at EntityGraphQL.AspNet.Extra.Tests.State.AddPersonBuilder.Deserialize_NonNullableIAddPerson_AddPerson(Nullable`1 obj) in {ProjectDirectory}obj\Debug\net9.0\berry\AppClient.Client.cs:line 1185
   at EntityGraphQL.AspNet.Extra.Tests.State.AddPersonBuilder.BuildData(JsonElement obj) in {ProjectDirectory}obj\Debug\net9.0\berry\AppClient.Client.cs:line 1178
   at StrawberryShake.OperationResultBuilder`1.Build(Response`1 response)
        },
        Extensions: {
          StackTrace:
   at EntityGraphQL.AspNet.Extra.Tests.State.AddPersonBuilder.Deserialize_NonNullableIAddPerson_AddPerson(Nullable`1 obj) in {ProjectDirectory}obj\Debug\net9.0\berry\AppClient.Client.cs:line 1185
   at EntityGraphQL.AspNet.Extra.Tests.State.AddPersonBuilder.BuildData(JsonElement obj) in {ProjectDirectory}obj\Debug\net9.0\berry\AppClient.Client.cs:line 1178
   at StrawberryShake.OperationResultBuilder`1.Build(Response`1 response)
        },
        Message: Value cannot be null.
      }
    ],
    Extensions: {}
  },
  getPersonResult: {
    ContextData: {},
    Data: {
      People: []
    },
    DataFactory: {},
    DataInfo: {
      EntityIds: [],
      People: []
    },
    Errors: [],
    Extensions: {}
  }
}

(in the test, it's under the .received.txt, and not .verified.txt).
I think the right solution is to remove the data if it's null. My custom solution won't work well if there is an error, but there's a partial data response (because it'll delete all the data in case of any error, which is also wrong, so one has to check first if there's some data, and remove it only if the returned objects are null but are promised not to be null).

Hence, some StrawberryShakeTests are failing.

Re (2), the AuthTests: here I'm not so sure. Some tests pass, others fail. They all pass with my custom solution, but that doesn't mean it's correct. I'm checking if 200 OK is returned in any case, but sometimes 400 or 406 is returned. Is it correct? I'm not sure, but worth checking it out as well and comparing it against the spec. i.e. if authorization fails, what's expected of GraphQL? I've assumed that 200 OK with an error message should be returned, but I may be wrong here.

On last thing, regarding backward compatibility:
You've included this:

var schema =
	context.RequestServices.GetService<SchemaProvider<TQueryType>>()
	?? throw new InvalidOperationException(
		"No SchemaProvider<TQueryType> found in the service collection. Make sure you set up your Startup.ConfigureServices() to call AddGraphQLSchema<TQueryType>()."
	);

in a new try-catch block. The exception now will be caught by:

catch (Exception)
{
	// only exceptions we should get are ones that mean the request is invalid
	// all other graphql specific errors should be in the response data
	if (followSpec)
	{
		context.Response.StatusCode = StatusCodes.Status400BadRequest;
		return;
	}
}

This means that whether followSpec is true or false, it'll behave differently than before (when exceptions weren't caught). If you do catch it, I think 500 Internal Server Error makes more sense here (although the spec is kinda ambiguous about it), but in any case, it's sort of a (minor) breaking change catching this (and any other) exception. I'm personally not worried about it, but worth noting in case you want to keep full backward compatibility.

[lukemurray]

Thanks for that! I'll dig into it when I get a chance.

Seems like mutations are causing it to act differently. I'll add those to the tests as well.

The change (and tests) should have followSpec return 200 unless there was an issue with the request, i.e. invalid headers, invalid JSON etc. As per the examples in the spec. The catch should really only catch issues like that, mostly deserialisation errors, hence the 400 return as suggested by the spec. Also you're right that it changes the followSpec = false flow which was not intended for 5.x. Will fix that.

[lukemurray]

So if I follow this all correctly, I think the mutation issue is not related to the HTTP codes that the followSpec is trying to "fix". As it correctly returns a 200 status code because the GraphQL HTTP request was valid.

The issue is the GraphQL schema says addPersonResult is not nullable but we return

{
  "data": {
    "addPersonResult": null // invalid given the schema
  },
  "errors": ...
}

I'm thinking that is a bug and the library probably should clean up mutation results to follow the schema outputting. And your data = new QueryResult(data.Errors); line does clean it up but also prevents a valid response that has data and errors.

[samyonr]

Right. 200 OK is returned in the right cases*, but the result doesn't comply with the schema. My "solution" is my no means the right one. It works only because nothing is returned, but it'll break in case of partial success.

*note that there is a potential issue related to 200 OK and followSpec: in the auth tests I'm checking various cases and expect 200 OK to be returned, while in practice 406 is returned sometimes. I don't know if my expectations are correct here. Maybe 200 OK is the right thing in case of authorization error, but it could be wrong as well. I'll check the spec in a few days to try to find what's a proper response in various authorization cases. My gut feeling is that indeed 200 OK isn't the right response in all cases.

[samyonr]

OK, I've skimmed over various implementations of GraphQL, and re-reviewed the GraphQL Over HTTP document, looking for authentication and authorization, and the conclusion are... inconclusive.

The application/graphql-response+json section states that:

If the client is not permitted to issue the GraphQL request then the server SHOULD reply with 403, 401 or similar appropriate status code.

(note that SHOULD != MUST)

The application/json section skips this issue entirely, if I'm not mistaken.

BTW, a small diversion from auth issues, the spec also states that:

If the GraphQL response contains the {data} entry and it is {null}, then the server SHOULD reply with a 2xx status code and it is RECOMMENDED it replies with 200 status code.

Note: Using 4xx and 5xx status codes in this situation is not recommended - since no GraphQL request error has occurred it is seen as a "partial response".

If the GraphQL response does not contain the {data} entry then the server MUST reply with a 4xx or 5xx status code as appropriate.

Note: The GraphQL specification indicates that the only situation in which the GraphQL response does not include the {data} entry is one in which the {errors} entry is populated.

I'm not sure what should be returned in case a mutation can return null... but anyway, the issue above was in case the mutation isn't allowed to return null and it still returns it. Anyway, worth be careful about not adding {data} at all.

Back to auth.

So, it should that it's possible to return whatever you want, using 401 or 403 is nice, but not required, and in practice, I saw GraphQL implementations that return 200 in all cases: even on authentication failures, or authorization failures, adding a clear error message that describes the issue. Another approach is to return 401 in case of authentication error, but 200 in case of authorization error with a clear error message.

In short, all options are valid for auth checks, so I think you ignore some my AuthTests.cs file. It would be nice to clearly state the approach this package takes. Currently, it looks like in case of authorization issue, it returns 406 - I wasn't expecting that, but it seems to be a valid approach.

Note, however, that some tests in AuthTests.cs do fail now (with followSpec = true), but didn't fail before (with followSpec = false), and I wouldn't expect them to fail at all. These are the Query_WithReaderRole_ShouldSucceed, Mutation_WithWriterRole_ShouldSucceed, and Query_WithWriterRole_ShouldSucceed tests. In all of them I'm receiving 406 but I was expecting them to succeed (i.e. 200 OK, without {errors}). Am I doing something wrong here, or there's some regression in the new implementation?

[lukemurray]

Thanks for this. I do want to jump into those Auth tests when I get a chance as without digging into them it seems they should not fail unless the client isn't sending the right headers etc. And yes the "spec" uses should a lot, I did adopt to follow those, which may be too strict.

I have push some changes to make sure non-nullable fields are not returned as null specifically the mutation example you reference.

[lukemurray]

So Auth is interesting...

EntityGraphQL allows you to use ASP.Net role etc to add auth to fields etc. In this case the request makes it to the graphql endpoint middleware and it should return a 200 with the error like "you don't have access to this field" etc.

Separately with ASP.Net, you can secure the route or every route. That could be configured to happen before the EntityGraphQL endpoint gets hit.

Although this doesn't seem to be the issue here.

Looking at test Mutation_WithWriterRole_ShouldSucceed no Accept header is supplied. Form the spec

Note: If a client does not supply the Accept header then the server may respond with an error, or with any content type it chooses

followSpec currently replies with an error, I think this is too strict. I'll default to json. That fixes them all except Mutation_WithReaderRole_ShouldFail with Test_WithoutFollowSpec. and that is because the test incorrectly expects 200. When EntityGraphQL 5.x without followSpec = true would return 400 on any errors, which this has an error "no access to the field". This line

context.Response.StatusCode = followSpec ? StatusCodes.Status200OK : StatusCodes.Status400BadRequest;

I think with the softening on the Accept header followSpec = false works as 5.7 and followSpec = true should be good.

[samyonr]

Wow, thanks for the fixes!

I've tried them out and indeed all tests pass (except for the one that shouldn't).
Also, reviewed the recent commits and all looks good as far as I can tell.

Closing the issue, thanks again.