Propagating authentication errors through GraphQL gateway

[wujekbogdan]

I have a GraphQL gateway that redirects requests to the main GraphQL server. I use the following executor to pass the original request's authorization header to the main GraphQL server.

import { buildHTTPExecutor } from '@graphql-tools/executor-http';

export const useGatewaySchema = ({
  url,
  transforms,
}: Options) => {
  /**
   * Executes the remote schema using a token passed by a client.
   * This executor is used to perform all subsequent calls to the remote GraphQL server.
   */
  const runtimeExecutor = buildHTTPExecutor({
    endpoint: new URL('/graphql', url).toString(),
    headers: (executorRequest) => {
      // Get the original request header from the client call
      const authorization =
        executorRequest?.context?.request?.headers?.headersInit
          ?.authorization ?? '';

      // Use that header to authorize the main GraphQL requests
      return {
        authorization,
      };
    },
  });

  return stitchSchemas({
    subschemas: [
      {
        schema: mySchema,
        transforms,
        executor: runtimeExecutor,
      },
      // ...
    ],
  });
};

Then I use that schema to instantiate the Yoga server.

  const gatewaySchema = useGatewaySchema({
    transforms,
    url,
  });

  const yoga = createYoga({
    landingPage: false,
    schema: gatewaySchema,
    maskedErrors: false,
  });

It all works fine, but authentication errors do not propagate through the Yoga server. If the original GraphQL server returns a 401 error, the Yoga server returns 200 and an error message such as:

{
  "errors": [
    {
      "message": "Cannot return null for non-nullable field Mutation.myMutation.",
      "locations": [
        {
          "line": 2,
          "column": 3
        }
      ],
      "path": [
        "signup"
      ]
    }
  ],
  "data": null
}

Disabling error masking doesn't help. It only affects regular requests, e.g., when the original server responds with a validation error.

Is there any way to force the HTTP executor to propagate all HTTP errors?

The only solution (or rather workaround) I found is providing a custom fetch implementation that throws an error depending on the response.status:

const runtimeExecutor = buildHTTPExecutor({
  endpoint: new URL('/graphql', url).toString(),
  fetch: async (input, init) => {
    const response = await fetch(input, init);

    if (response.status > 201) {
      throw new Error('Something went wrong!');
    }

    return response;
  },
  // ...
});

But It doesn't seem elegant. I feel this should happen at the HTTP executor level rather than within the fetch implementation. It would be better if original errors propagated seamlessly instead of being explicitly handled based on error codes."

[ardatan]

In subschema execution, we are not able to know how HTTP status codes are used by the service.
But instead, we look at the data returned. Independent from the status code, the service should return a response with errors field that lists the errors so the gateway can propagate it to the final response.
Maybe you can share a reproduction so we can discuss using it.

[wujekbogdan]

The server, in case of an authentication error, returns just the 401 Unauthorized HTTP response and an empty body, so we can't look into errors as they don't exist. The server is out of my control.