-
-
Notifications
You must be signed in to change notification settings - Fork 722
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AUTH_NOT_AUTHORIZED returned when expecting AUTH_NOT_AUTHENTICATED #6228
Comments
The documentation is outdated. Out of the box you only have |
Would you consider unsealing Edit to add: curious as to why this isn't implemented in the first place? The logic from |
@epbensimpson |
You could workaround the problem by implementing an IErrorFilter that translates It would be great if we could extend Hot Chocolate's |
@hundreder Here's a link to a gist with the changes: https://gist.github.com/epbensimpson/401c2418b8f59ed55461d5d001397fff Changes are at line 77-88 and line 113-134 |
@michaelstaib Just saw that the bug-tag was removed. Anyway, I've stumbled across the same issue and since the AuthorizeMiddleware supports this state, I think it's logical that the AspNetCore implementation correctly returns |
This is how I currently solve this problem. internal class ErrorFilter(IServiceProvider serviceProvider) : IErrorFilter
{
public IError OnError(IError error)
{
if (error.Code == "AUTH_NOT_AUTHORIZED")
{
// if error code is AUTH_NOT_AUTHORIZED then check if user is authenticated
// if he isn't then swap error code to AUTH_NOT_AUTHENTICATED
IHttpContextAccessor httpContextAccessor = serviceProvider.GetRequiredService<IHttpContextAccessor>();
HttpContext context = httpContextAccessor.HttpContext ?? throw new InvalidOperationException();
if (context.User.Identity?.IsAuthenticated != true)
{
return error.WithCode("AUTH_NOT_AUTHENTICATED");
}
}
return error;
}
} Don't forget to register the services
.AddGraphQLServer()
.AddAuthorization()
.AddErrorFilter<ErrorFilter>()
... |
While that works, it feels "hacky" to resolve the private static IError? TransformErrorForAuthn(IError error)
{
// TODO Below distinction currently doesn't work, because HotChocolate returns NotAuthorized in both cases.
// Keep an eye on https://github.com/ChilliCream/graphql-platform/issues/6228
return error.Code switch
{
ErrorCodes.Authentication.NotAuthorized => error
.SetExtension("statusCode", (int)HttpStatusCode.Forbidden),
ErrorCodes.Authentication.NotAuthenticated => error
.SetExtension("statusCode", (int)HttpStatusCode.Unauthorized),
_ => null,
};
} |
Is there an existing issue for this?
Product
Hot Chocolate
Describe the bug
When a user is not authenticated and attempts to access a type/field protected by
[Authorize]
, they receive anAUTH_NOT_AUTHORIZED
error instead ofAUTH_NOT_AUTHENTICATED
This is in contradiction to the documentation which indicates this should result in
AUTH_NOT_AUTHENTICATED
.We need to be able to differentiate between not authenticated and not authorized so we can have the client re-authenticate if necessary.
Steps to reproduce
[Authorize]
on a type:Relevant log output
No response
Additional Context?
No response
Version
13.1.0
The text was updated successfully, but these errors were encountered: