-
-
Notifications
You must be signed in to change notification settings - Fork 536
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: show 405 error if request is GET and queries are not allowed #3646
base: main
Are you sure you want to change the base?
Conversation
Reviewer's Guide by SourceryThis pull request implements a fix to show a 404 error if a GET request is received when queries are not allowed. The changes are made in both the asynchronous and synchronous base view classes. File-Level Changes
Sequence DiagramsequenceDiagram
participant Client
participant BaseView
participant RequestAdapter
Client->>BaseView: Send request
BaseView->>RequestAdapter: Get request method
alt Request method is GET and queries via GET not allowed
BaseView-->>Client: Return 404 Not Found
else Request is valid
BaseView->>BaseView: Continue processing
end
Tips
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @alexei - I've reviewed your changes - here's some feedback:
Overall Comments:
- Consider adding unit tests to cover the new condition for both GET and non-GET requests, with queries allowed and disallowed.
- The error message 'Not Found' might be too generic. Consider using a more specific message like 'GET queries not allowed' to help developers understand why their request was rejected.
Here's what I looked at during the review
- 🟢 General issues: all looks good
- 🟢 Security: all looks good
- 🟢 Testing: all looks good
- 🟢 Complexity: all looks good
- 🟢 Documentation: all looks good
Help me be more useful! Please click 👍 or 👎 on each comment to tell me if it was helpful.
Thanks for adding the Here's a preview of the changelog: This release fixes an issue where a GET request is processed despite it being disallowed. Here's the tweet text:
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3646 +/- ##
===========================================
+ Coverage 72.55% 96.75% +24.20%
===========================================
Files 518 522 +4
Lines 32647 33831 +1184
Branches 3772 5637 +1865
===========================================
+ Hits 23687 32734 +9047
+ Misses 8532 865 -7667
+ Partials 428 232 -196 |
for more information, see https://pre-commit.ci
CodSpeed Performance ReportMerging #3646 will not alter performanceComparing Summary
|
@@ -0,0 +1,3 @@ | |||
Release type: patch | |||
|
|||
This release fixes an issue where a GET request is processed despite it being disallowed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's be more specific here
This release fixes an issue where a GET request is processed despite it being disallowed. | |
This release changes the default behavior on queries via GET requests to a 405 error. To enable queries via get, please use `self.allow_queries_via_get`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @erikwrede I appreciate your reviewing this. I agree the message can be improved, but let's be clear about the change. Queries via GET are still allowed by default just like before - I did not touch that, though I believe the default should be more conservative. I changed the behavior when it's turned off:
- before this change you get a GraphQL query not found error;
- after this change you get a HTTP method not allowed error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@alexei so probably we can go with an explanation like that, saying that before, even though queries via GET are allowed by default, when disallowing them you would only get a GraphQL query not found error, but now you should get a 405 error instead.
Description
When
allow_queries_via_get
isFalse
,GET
requests are processed despite the fact that queries are disallowed. Currently the response is "400: No GraphQL query found in the request" which is raised at a deeper level. I believe such requests should be rejected immediately as they needlessly consume resources.Types of Changes
Issues Fixed or Closed by This PR
Checklist
Summary by Sourcery
Fix the handling of GET requests by returning a 404 error when queries are disallowed, instead of processing them and returning a 400 error at a deeper level.
Bug Fixes: