router icon indicating copy to clipboard operation
router copied to clipboard

Published 20 hours ago • verified publisher icon apollographql

Using fragments with @authenticated gives GRAPHQL_VALIDATION error instead of Unauthorized error

Open dandersonhall opened this issue 1 year ago • 3 comments

The bug When calling a query that uses the @authenticated directive using fragments with an unauthenticated user the router returns a GRAPHQL_VALIDATION_ERROR instead of an Unauthorized error.

To Reproduce Query example with fragments

query  {
  type1 {
    type2 {
      ...fragmentFields
    }
    type3 {
      ...fragmentFields
    }
  }
}

fragment fragmentFields on Type {
    fields
  }
}

-> Valid token ==> ALL OK

-> Invalid token => {
  "errors": [
    {
      "message": "Fragment \"fragmentFields\" is never used.",
      "extensions": {
        "code": "GRAPHQL_VALIDATION_FAILED"
      }
    }
  ]
}

without fragment

query  {
  type1 {
    type2 {
      fields
    }
    type3 {
      fields
    }
  }
}

Invalid token => {
  "data": {},
  "errors": [
    {
      "message": "Unauthorized field or type",
      "path": [
        "-",
        "@"
      ],
      "extensions": {
        "code": "UNAUTHORIZED_FIELD_OR_TYPE"
      }
    }
  ]
}

Expected behavior Expect the unauthorized error when using fragments too

dandersonhall avatar Feb 22 '24 13:02 dandersonhall

Iiinteresting! This would probably be fixed by #4551 since validation will happen before we modify the operation. But, it means that we have invalid operations floating around in the router, so we should also remove fragments that become unused after we modify input queries.

goto-bus-stop avatar Mar 04 '24 10:03 goto-bus-stop