sangria icon indicating copy to clipboard operation
sangria copied to clipboard

Published 20 hours ago verified publisher icon sangria-graphql

Is it possible to disable error messages?

Open markhopson opened this issue 4 years ago • 4 comments

Seems like if you try random queries, Sangria returns more info than wanted.

...
"message": "Cannot query field 'CompanySpecificTypeWithTypo' on type 'root'. Did you mean 'CompanySpecificType' or 'AnotherCompanySpecificType'? (line 1, column 24):\nquery OrgLoaderQuery { CompanySpecificTypeWithTypo  }\n                       ^",
"locations": [{ "line": 1, "column": 24}]
...

Is it possible to disable this feature?

markhopson avatar Dec 15 '20 04:12 markhopson

Hello,

Sangria just returns the error when it executes the query, but it's up to the HTTP server to decide what to do with it. It's usually great that clients can debug their queries. (See also issue #524 .)

Are you aware of GraphQL introspection queries? (Basically Sangria provides the full schema to clients, that ask nicely.)

PAStheLoD avatar Dec 15 '20 09:12 PAStheLoD

Thanks! So I guess if I wanted to block the message then I should use a filter to remove that response?

markhopson avatar Dec 15 '20 17:12 markhopson

@markhopson

You can:

  • Replace this validator rule with one that doesn't provide type information to attackers (simply override it with a new handler for badValue
  • If validation fails the execute method will return a failed Future containing a ViolationError and all the individual violations. You can recover on that case and remove those from being returned in the response.

paulpdaniels avatar Dec 16 '20 02:12 paulpdaniels

https://github.com/sangria-graphql/sangria/pull/517

yanns avatar Dec 22 '20 17:12 yanns