feat(audits/server) Check variable coercion failure (#58)

Closes #57
Co-authored-by: enisdenjo <badurinadenis@gmail.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: trevor-scheer

implementations/apollo-server/README.md

@@ -3,9 +3,9 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>78</b> audits in total</li>
-<li><span style="font-family: monospace">✅</span> <b>53</b> pass</li>
-<li><span style="font-family: monospace">⚠️</span> <b>25</b> warnings (optional)</li>
+<li><b>80</b> audits in total</li>
+<li><span style="font-family: monospace">✅</span> <b>54</b> pass</li>
+<li><span style="font-family: monospace">⚠️</span> <b>26</b> warnings (optional)</li>
 </ul>
 
 <h2>Passing</h2>
@@ -63,6 +63,7 @@
 <li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
 <li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json</li>
 <li><code>5E5B</code> SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json</li>
+<li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json</li>
 </ol>
 
 <h2>Warnings</h2>
@@ -1037,5 +1038,79 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
+<li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json
+<details>
+<summary>Response status code is not 200</summary>
+<pre><code class="lang-json">{
+  "statusText": "Bad Request",
+  "status": 400,
+  "headers": {
+    "x-powered-by": "Express",
+    "etag": "W/\"bb6-gXaURMU/HGIiPsrBiHj0x/xi2Cw\"",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "2998",
+    "connection": "close",
+    "cache-control": "no-store",
+    "access-control-allow-origin": "*"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "Unknown type \"ID\".",
+        "locations": [
+          {
+            "line": 1,
+            "column": 26
+          }
+        ],
+        "extensions": {
+          "stacktrace": [
+            "GraphQLError: Unknown type \"ID\".",
+            "    at Object.NamedType (/home/runner/work/graphql-http/graphql-http/node_modules/graphql/validation/rules/KnownTypeNamesRule.js:65:11)",
+            "    at Object.enter (/home/runner/work/graphql-http/graphql-http/node_modules/graphql/language/visitor.js:301:32)",
+            "    at Object.enter (/home/runner/work/graphql-http/graphql-http/node_modules/graphql/utilities/TypeInfo.js:391:27)",
+            "    at visit (/home/runner/work/graphql-http/graphql-http/node_modules/graphql/language/visitor.js:197:21)",
+            "    at validate (/home/runner/work/graphql-http/graphql-http/node_modules/graphql/validation/validate.js:91:24)",
+            "    at processGraphQLRequest (file:///home/runner/work/graphql-http/graphql-http/node_modules/@apollo/server/dist/esm/requestPipeline.js:97:34)",
+            "    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)",
+            "    at async internalExecuteOperation (file:///home/runner/work/graphql-http/graphql-http/node_modules/@apollo/server/dist/esm/ApolloServer.js:585:16)",
+            "    at async runHttpQuery (file:///home/runner/work/graphql-http/graphql-http/node_modules/@apollo/server/dist/esm/runHttpQuery.js:129:29)",
+            "    at async runPotentiallyBatchedHttpQuery (file:///home/runner/work/graphql-http/graphql-http/node_modules/@apollo/server/dist/esm/httpBatching.js:34:16)"
+          ],
+          "code": "GRAPHQL_VALIDATION_FAILED"
+        }
+      },
+      {
+        "message": "Variable \"$id\" is never used in operation \"CoerceFailure\".",
+        "locations": [
+          {
+            "line": 1,
+            "column": 21
+          }
+        ],
+        "extensions": {
+          "stacktrace": [
+            "GraphQLError: Variable \"$id\" is never used in operation \"CoerceFailure\".",
+            "    at Object.leave (/home/runner/work/graphql-http/graphql-http/node_modules/graphql/validation/rules/NoUnusedVariablesRule.js:39:15)",
+            "    at Object.leave (/home/runner/work/graphql-http/graphql-http/node_modules/graphql/language/visitor.js:324:32)",
+            "    at Object.leave (/home/runner/work/graphql-http/graphql-http/node_modules/graphql/utilities/TypeInfo.js:411:21)",
+            "    at visit (/home/runner/work/graphql-http/graphql-http/node_modules/graphql/language/visitor.js:197:21)",
+            "    at validate (/home/runner/work/graphql-http/graphql-http/node_modules/graphql/validation/validate.js:91:24)",
+            "    at processGraphQLRequest (file:///home/runner/work/graphql-http/graphql-http/node_modules/@apollo/server/dist/esm/requestPipeline.js:97:34)",
+            "    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)",
+            "    at async internalExecuteOperation (file:///home/runner/work/graphql-http/graphql-http/node_modules/@apollo/server/dist/esm/ApolloServer.js:585:16)",
+            "    at async runHttpQuery (file:///home/runner/work/graphql-http/graphql-http/node_modules/@apollo/server/dist/esm/runHttpQuery.js:129:29)",
+            "    at async runPotentiallyBatchedHttpQuery (file:///home/runner/work/graphql-http/graphql-http/node_modules/@apollo/server/dist/esm/httpBatching.js:34:16)"
+          ],
+          "code": "GRAPHQL_VALIDATION_FAILED"
+        }
+      }
+    ]
+  }
+}
+</code></pre>
+</details>
+</li>
 </ol>
 

implementations/apollo-server/report.json

@@ -1,6 +1,6 @@
 {
-  "total": 78,
-  "ok": 53,
-  "warn": 25,
+  "total": 80,
+  "ok": 54,
+  "warn": 26,
   "error": 0
 }

implementations/deno/README.md

@@ -3,9 +3,9 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>78</b> audits in total</li>
-<li><span style="font-family: monospace">✅</span> <b>35</b> pass</li>
-<li><span style="font-family: monospace">⚠️</span> <b>43</b> warnings (optional)</li>
+<li><b>80</b> audits in total</li>
+<li><span style="font-family: monospace">✅</span> <b>36</b> pass</li>
+<li><span style="font-family: monospace">⚠️</span> <b>44</b> warnings (optional)</li>
 </ul>
 
 <h2>Passing</h2>
@@ -41,6 +41,7 @@
 <li><code>F5AF</code> SHOULD use 200 status code if parameters are invalid when accepting application/json</li>
 <li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json</li>
 <li><code>FDE2</code> SHOULD use 200 status code on document validation failure when accepting application/json</li>
+<li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json</li>
 <li><code>60AA</code> SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json</li>
 <li><code>3E36</code> SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json</li>
 <li><code>865D</code> SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json</li>
@@ -823,5 +824,22 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
+<li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json
+<details>
+<summary>Response status code is not 400</summary>
+<pre><code class="lang-json">{
+  "statusText": "Not Acceptable",
+  "status": 406,
+  "headers": {
+    "vary": "Accept-Encoding",
+    "date": "<timestamp>",
+    "content-type": "text/plain;charset=UTF-8",
+    "content-length": "14"
+  },
+  "body": "Not Acceptable"
+}
+</code></pre>
+</details>
+</li>
 </ol>
 

implementations/deno/report.json

@@ -1,6 +1,6 @@
 {
-  "total": 78,
-  "ok": 35,
-  "warn": 43,
+  "total": 80,
+  "ok": 36,
+  "warn": 44,
   "error": 0
 }

implementations/express-graphql/README.md

@@ -3,9 +3,9 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>78</b> audits in total</li>
-<li><span style="font-family: monospace">✅</span> <b>45</b> pass</li>
-<li><span style="font-family: monospace">⚠️</span> <b>33</b> warnings (optional)</li>
+<li><b>80</b> audits in total</li>
+<li><span style="font-family: monospace">✅</span> <b>46</b> pass</li>
+<li><span style="font-family: monospace">⚠️</span> <b>34</b> warnings (optional)</li>
 </ul>
 
 <h2>Passing</h2>
@@ -55,6 +55,7 @@
 <li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
 <li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json</li>
 <li><code>5E5B</code> SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json</li>
+<li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json</li>
 </ol>
 
 <h2>Warnings</h2>
@@ -851,5 +852,45 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
+<li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json
+<details>
+<summary>Response status code is not 200</summary>
+<pre><code class="lang-json">{
+  "statusText": "Bad Request",
+  "status": 400,
+  "headers": {
+    "x-powered-by": "Express",
+    "etag": "W/\"c6-jKvd+KIdPY2/2i/wYj0ck5PZF20\"",
+    "date": "<timestamp>",
+    "content-type": "application/json; charset=utf-8",
+    "content-length": "198",
+    "connection": "close"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "Unknown type \"ID\".",
+        "locations": [
+          {
+            "line": 1,
+            "column": 26
+          }
+        ]
+      },
+      {
+        "message": "Variable \"$id\" is never used in operation \"CoerceFailure\".",
+        "locations": [
+          {
+            "line": 1,
+            "column": 21
+          }
+        ]
+      }
+    ]
+  }
+}
+</code></pre>
+</details>
+</li>
 </ol>
 

implementations/express-graphql/report.json

@@ -1,6 +1,6 @@
 {
-  "total": 78,
-  "ok": 45,
-  "warn": 33,
+  "total": 80,
+  "ok": 46,
+  "warn": 34,
   "error": 0
 }

implementations/graph-client/README.md

@@ -3,8 +3,8 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>78</b> audits in total</li>
-<li><span style="font-family: monospace">✅</span> <b>78</b> pass</li>
+<li><b>80</b> audits in total</li>
+<li><span style="font-family: monospace">✅</span> <b>80</b> pass</li>
 </ul>
 
 <h2>Passing</h2>
@@ -76,6 +76,7 @@
 <li><code>F5AF</code> SHOULD use 200 status code if parameters are invalid when accepting application/json</li>
 <li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json</li>
 <li><code>FDE2</code> SHOULD use 200 status code on document validation failure when accepting application/json</li>
+<li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json</li>
 <li><code>60AA</code> SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json</li>
 <li><code>2163</code> SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json</li>
 <li><code>3E36</code> SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json</li>
@@ -87,5 +88,6 @@
 <li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
 <li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json</li>
 <li><code>5E5B</code> SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json</li>
+<li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json</li>
 </ol>
 

implementations/graph-client/report.json

@@ -1,6 +1,6 @@
 {
-  "total": 78,
-  "ok": 78,
+  "total": 80,
+  "ok": 80,
   "warn": 0,
   "error": 0
 }

implementations/graphql-helix/README.md

@@ -3,9 +3,9 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>78</b> audits in total</li>
-<li><span style="font-family: monospace">✅</span> <b>49</b> pass</li>
-<li><span style="font-family: monospace">⚠️</span> <b>29</b> warnings (optional)</li>
+<li><b>80</b> audits in total</li>
+<li><span style="font-family: monospace">✅</span> <b>50</b> pass</li>
+<li><span style="font-family: monospace">⚠️</span> <b>30</b> warnings (optional)</li>
 </ul>
 
 <h2>Passing</h2>
@@ -59,6 +59,7 @@
 <li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
 <li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json</li>
 <li><code>5E5B</code> SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json</li>
+<li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json</li>
 </ol>
 
 <h2>Warnings</h2>
@@ -730,5 +731,44 @@ The server <i>SHOULD</i> support these, but is not required.
 </code></pre>
 </details>
 </li>
+<li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json
+<details>
+<summary>Response status code is not 200</summary>
+<pre><code class="lang-json">{
+  "statusText": "Bad Request",
+  "status": 400,
+  "headers": {
+    "x-powered-by": "Express",
+    "date": "<timestamp>",
+    "content-type": "application/json",
+    "content-length": "198",
+    "connection": "close"
+  },
+  "body": {
+    "errors": [
+      {
+        "message": "Unknown type \"ID\".",
+        "locations": [
+          {
+            "line": 1,
+            "column": 26
+          }
+        ]
+      },
+      {
+        "message": "Variable \"$id\" is never used in operation \"CoerceFailure\".",
+        "locations": [
+          {
+            "line": 1,
+            "column": 21
+          }
+        ]
+      }
+    ]
+  }
+}
+</code></pre>
+</details>
+</li>
 </ol>
 

implementations/graphql-helix/report.json

@@ -1,6 +1,6 @@
 {
-  "total": 78,
-  "ok": 49,
-  "warn": 29,
+  "total": 80,
+  "ok": 50,
+  "warn": 30,
   "error": 0
 }

implementations/graphql-yoga/README.md

@@ -3,8 +3,8 @@
 <h1>GraphQL over HTTP audit report</h1>
 
 <ul>
-<li><b>78</b> audits in total</li>
-<li><span style="font-family: monospace">✅</span> <b>78</b> pass</li>
+<li><b>80</b> audits in total</li>
+<li><span style="font-family: monospace">✅</span> <b>80</b> pass</li>
 </ul>
 
 <h2>Passing</h2>
@@ -76,6 +76,7 @@
 <li><code>F5AF</code> SHOULD use 200 status code if parameters are invalid when accepting application/json</li>
 <li><code>572B</code> SHOULD use 200 status code on document parsing failure when accepting application/json</li>
 <li><code>FDE2</code> SHOULD use 200 status code on document validation failure when accepting application/json</li>
+<li><code>7B9B</code> SHOULD use a status code of 200 on variable coercion failure when accepting application/json</li>
 <li><code>60AA</code> SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json</li>
 <li><code>2163</code> SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json</li>
 <li><code>3E36</code> SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json</li>
@@ -87,5 +88,6 @@
 <li><code>51FE</code> SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json</li>
 <li><code>74FF</code> SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json</li>
 <li><code>5E5B</code> SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json</li>
+<li><code>86EE</code> SHOULD use a status code of 400 on variable coercion failure when accepting application/graphql-response+json</li>
 </ol>
 

implementations/graphql-yoga/report.json

@@ -1,6 +1,6 @@
 {
-  "total": 78,
-  "ok": 78,
+  "total": 80,
+  "ok": 80,
   "warn": 0,
   "error": 0
 }