fix(audits/server): Status code for mutations through GET should be between 400 and 499 (#19)

enisdenjo · github-actions[bot] · web-flow · commit 1021494a17e2 · 2022-11-15T10:54:56.000+01:00
Co-authored-by: github-actions[bot] &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
diff --git a/implementations/apollo-server/README.md b/implementations/apollo-server/README.md
@@ -3,8 +3,8 @@ _* This report was auto-generated by graphql-http_
 # GraphQL over HTTP audit report
 
 - **73** audits in total
-- ✅ **35** pass
-- ⚠️ **38** warnings (optional)
+- ✅ **36** pass
+- ⚠️ **37** warnings (optional)
 
 ## Passing
 1. SHOULD accept application/graphql-response+json and match the content-type
@@ -13,35 +13,36 @@ _* This report was auto-generated by graphql-http_
 4. MUST accept utf-8 encoding
 5. MUST assume utf-8 if encoding is unspecified
 6. MUST accept POST requests
-7. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
-8. MUST accept application/json POST requests
-9. MUST require a request body on POST
-10. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json
-11. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json
-12. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json
-13. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json
-14. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json
-15. SHOULD allow string {query} parameter when accepting application/graphql-response+json
-16. MUST allow string {query} parameter when accepting application/json
-17. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json
-18. MUST allow string {operationName} parameter when accepting application/json
-19. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json
-20. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
-21. MUST allow map {variables} parameter when accepting application/json
-22. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json
-23. SHOULD allow map {extensions} parameter when accepting application/graphql-response+json
-24. MUST allow map {extensions} parameter when accepting application/json
-25. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json
-26. SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json
-27. SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json
-28. SHOULD use 400 status code if parameters are invalid when accepting application/graphql-response+json
-29. SHOULD not contain the data entry if parameters are invalid when accepting application/graphql-response+json
-30. SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
-31. SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
-32. SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json
-33. SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json
-34. SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
-35. SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json
+7. MAY NOT allow executing mutations on GET requests
+8. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
+9. MUST accept application/json POST requests
+10. MUST require a request body on POST
+11. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json
+12. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json
+13. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json
+14. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json
+15. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json
+16. SHOULD allow string {query} parameter when accepting application/graphql-response+json
+17. MUST allow string {query} parameter when accepting application/json
+18. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json
+19. MUST allow string {operationName} parameter when accepting application/json
+20. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json
+21. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
+22. MUST allow map {variables} parameter when accepting application/json
+23. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json
+24. SHOULD allow map {extensions} parameter when accepting application/graphql-response+json
+25. MUST allow map {extensions} parameter when accepting application/json
+26. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json
+27. SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json
+28. SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json
+29. SHOULD use 400 status code if parameters are invalid when accepting application/graphql-response+json
+30. SHOULD not contain the data entry if parameters are invalid when accepting application/graphql-response+json
+31. SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
+32. SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
+33. SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json
+34. SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json
+35. SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
+36. SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json
 
 ## Warnings
 The server _SHOULD_ support these, but is not required.
@@ -57,143 +58,139 @@ Content-Type header "application/json; charset=utf-8" does not contain "applicat
 ```
 Status code 400 is not 200
 ```
-4. MAY NOT allow executing mutations on GET requests<br />
-```
-Status code 400 is not 405
-```
-5. SHOULD use 200 status code with errors field on missing {query} parameter when accepting application/json<br />
+4. SHOULD use 200 status code with errors field on missing {query} parameter when accepting application/json<br />
 ```
 Status code 400 is not 200
 ```
-6. SHOULD use 200 status code with errors field on object {query} parameter when accepting application/json<br />
+5. SHOULD use 200 status code with errors field on object {query} parameter when accepting application/json<br />
 ```
 Status code 400 is not 200
 ```
-7. SHOULD use 200 status code with errors field on number {query} parameter when accepting application/json<br />
+6. SHOULD use 200 status code with errors field on number {query} parameter when accepting application/json<br />
 ```
 Status code 400 is not 200
 ```
-8. SHOULD use 200 status code with errors field on boolean {query} parameter when accepting application/json<br />
+7. SHOULD use 200 status code with errors field on boolean {query} parameter when accepting application/json<br />
 ```
 Status code 400 is not 200
 ```
-9. SHOULD use 200 status code with errors field on array {query} parameter when accepting application/json<br />
+8. SHOULD use 200 status code with errors field on array {query} parameter when accepting application/json<br />
 ```
 Status code 400 is not 200
 ```
-10. SHOULD use 400 status code on object {operationName} parameter when accepting application/graphql-response+json<br />
+9. SHOULD use 400 status code on object {operationName} parameter when accepting application/graphql-response+json<br />
 ```
 Status code 200 is not 400
 ```
-11. SHOULD use 400 status code on number {operationName} parameter when accepting application/graphql-response+json<br />
+10. SHOULD use 400 status code on number {operationName} parameter when accepting application/graphql-response+json<br />
 ```
 Status code 200 is not 400
 ```
-12. SHOULD use 400 status code on boolean {operationName} parameter when accepting application/graphql-response+json<br />
+11. SHOULD use 400 status code on boolean {operationName} parameter when accepting application/graphql-response+json<br />
 ```
 Status code 200 is not 400
 ```
-13. SHOULD use 400 status code on array {operationName} parameter when accepting application/graphql-response+json<br />
+12. SHOULD use 400 status code on array {operationName} parameter when accepting application/graphql-response+json<br />
 ```
 Status code 200 is not 400
 ```
-14. SHOULD use 200 status code with errors field on object {operationName} parameter when accepting application/json<br />
+13. SHOULD use 200 status code with errors field on object {operationName} parameter when accepting application/json<br />
 ```
 Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
 ```
-15. SHOULD use 200 status code with errors field on number {operationName} parameter when accepting application/json<br />
+14. SHOULD use 200 status code with errors field on number {operationName} parameter when accepting application/json<br />
 ```
 Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
 ```
-16. SHOULD use 200 status code with errors field on boolean {operationName} parameter when accepting application/json<br />
+15. SHOULD use 200 status code with errors field on boolean {operationName} parameter when accepting application/json<br />
 ```
 Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
 ```
-17. SHOULD use 200 status code with errors field on array {operationName} parameter when accepting application/json<br />
+16. SHOULD use 200 status code with errors field on array {operationName} parameter when accepting application/json<br />
 ```
 Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
 ```
-18. SHOULD use 400 status code on number {variables} parameter when accepting application/graphql-response+json<br />
+17. SHOULD use 400 status code on number {variables} parameter when accepting application/graphql-response+json<br />
 ```
 Status code 200 is not 400
 ```
-19. SHOULD use 400 status code on boolean {variables} parameter when accepting application/graphql-response+json<br />
+18. SHOULD use 400 status code on boolean {variables} parameter when accepting application/graphql-response+json<br />
 ```
 Status code 200 is not 400
 ```
-20. SHOULD use 400 status code on array {variables} parameter when accepting application/graphql-response+json<br />
+19. SHOULD use 400 status code on array {variables} parameter when accepting application/graphql-response+json<br />
 ```
 Status code 200 is not 400
 ```
-21. SHOULD use 200 status code with errors field on string {variables} parameter when accepting application/json<br />
+20. SHOULD use 200 status code with errors field on string {variables} parameter when accepting application/json<br />
 ```
 Status code 400 is not 200
 ```
-22. SHOULD use 200 status code with errors field on number {variables} parameter when accepting application/json<br />
+21. SHOULD use 200 status code with errors field on number {variables} parameter when accepting application/json<br />
 ```
 Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
 ```
-23. SHOULD use 200 status code with errors field on boolean {variables} parameter when accepting application/json<br />
+22. SHOULD use 200 status code with errors field on boolean {variables} parameter when accepting application/json<br />
 ```
 Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
 ```
-24. SHOULD use 200 status code with errors field on array {variables} parameter when accepting application/json<br />
+23. SHOULD use 200 status code with errors field on array {variables} parameter when accepting application/json<br />
 ```
 Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
 ```
-25. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json<br />
+24. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json<br />
 ```
 Status code 400 is not 200
 ```
-26. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json<br />
+25. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json<br />
 ```
 Status code 400 is not 200
 ```
-27. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json<br />
+26. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json<br />
 ```
 Status code 200 is not 400
 ```
-28. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json<br />
+27. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json<br />
 ```
 Status code 200 is not 400
 ```
-29. SHOULD use 400 status code on array {extensions} parameter when accepting application/graphql-response+json<br />
+28. SHOULD use 400 status code on array {extensions} parameter when accepting application/graphql-response+json<br />
 ```
 Status code 200 is not 400
 ```
-30. SHOULD use 200 status code with errors field on string {extensions} parameter when accepting application/json<br />
+29. SHOULD use 200 status code with errors field on string {extensions} parameter when accepting application/json<br />
 ```
 Status code 400 is not 200
 ```
-31. SHOULD use 200 status code with errors field on number {extensions} parameter when accepting application/json<br />
+30. SHOULD use 200 status code with errors field on number {extensions} parameter when accepting application/json<br />
 ```
 Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
 ```
-32. SHOULD use 200 status code with errors field on boolean {extensions} parameter when accepting application/json<br />
+31. SHOULD use 200 status code with errors field on boolean {extensions} parameter when accepting application/json<br />
 ```
 Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
 ```
-33. SHOULD use 200 status code with errors field on array {extensions} parameter when accepting application/json<br />
+32. SHOULD use 200 status code with errors field on array {extensions} parameter when accepting application/json<br />
 ```
 Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
 ```
-34. SHOULD use 200 status code on JSON parsing failure when accepting application/json<br />
+33. SHOULD use 200 status code on JSON parsing failure when accepting application/json<br />
 ```
 Status code 400 is not 200
 ```
-35. SHOULD use 200 status code if parameters are invalid when accepting application/json<br />
+34. SHOULD use 200 status code if parameters are invalid when accepting application/json<br />
 ```
 Status code 400 is not 200
 ```
-36. SHOULD use 200 status code on document parsing failure when accepting application/json<br />
+35. SHOULD use 200 status code on document parsing failure when accepting application/json<br />
 ```
 Status code 400 is not 200
 ```
-37. SHOULD use 200 status code on document validation failure when accepting application/json<br />
+36. SHOULD use 200 status code on document validation failure when accepting application/json<br />
 ```
 Status code 400 is not 200
 ```
-38. SHOULD not contain the data entry on JSON parsing failure when accepting application/graphql-response+json<br />
+37. SHOULD not contain the data entry on JSON parsing failure when accepting application/graphql-response+json<br />
 ```
 Response body is not valid JSON. Got "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>SyntaxError: Unexpected end of JSON input<br> &nbsp; &nbsp;at JSON.parse (&lt;anonymous&gt;)<br> &nbsp; &nbsp;at parse (/home/runner/work/graphql-http/graphql-http/node_modules/body-parser/lib/types/json.js:89:19)<br> &nbsp; &nbsp;at /home/runner/work/graphql-http/graphql-http/node_modules/body-parser/lib/read.js:128:18<br> &nbsp; &nbsp;at AsyncResource.runInAsyncScope (node:async_hooks:203:9)<br> &nbsp; &nbsp;at invokeCallback (/home/runner/work/graphql-http/graphql-http/node_modules/raw-body/index.js:231:16)<br> &nbsp; &nbsp;at done (/home/runner/work/graphql-http/graphql-http/node_modules/raw-body/index.js:220:7)<br> &nbsp; &nbsp;at IncomingMessage.onEnd (/home/runner/work/graphql-http/graphql-http/node_modules/raw-body/index.js:280:7)<br> &nbsp; &nbsp;at IncomingMessage.emit (node:events:513:28)<br> &nbsp; &nbsp;at endReadableNT (node:internal/streams/rea...
 ```
diff --git a/implementations/thegraph/README.md b/implementations/thegraph/README.md
@@ -32,7 +32,7 @@ Status code 404 is not 200
 ```
 4. MAY NOT allow executing mutations on GET requests<br />
 ```
-Status code 200 is not 405
+Status code 200 is not greater than or equal to 400
 ```
 5. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json<br />
 ```
diff --git a/src/audits/server.ts b/src/audits/server.ts
@@ -211,7 +211,8 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
           accept: 'application/graphql-response+json',
         },
       });
-      assert('Status code', res.status).toBe(405);
+      assert('Status code', res.status).toBeGreaterThanOrEqual(400);
+      assert('Status code', res.status).toBeLessThanOrEqual(499);
     }),
     // Request POST
     audit(
