Failed authorization throws Http 500 about auth HOT 12 CLOSED

Can you create a small example to reproduce? Thanks

from auth.

Ciao Matteo,
here you are my minimum reproducible repo
https://github.com/artecoop/mercurius-auth-issue

toggle @auth(requires: administrator) inside src/modules/business/schema.ts to view the error.

I've tested it with postman

Note: cert keys are throwaway so don't worry

from auth.

I think you might want to control the statusCode for the response. If you do not set it it's 500.

const err = new mercurius.ErrorWithProps('UNAUTHORIZED');
err.statusCode = 200
throw err

I think we might want to add an optional statusCode property in https://github.com/mercurius-js/mercurius/blob/b671de31178395ea53f2ea39c19cc3f8d80be8eb/lib/errors.js#L7 to better control this.

from auth.

We should probably document this somewhere. Would you like to send a PR?

from auth.

I saw you merged my changes into the docs and they're now live. However, the changes it refers are not yet released in mercurius...

from auth.

Why do you say so? I'm pretty sure it should work as expected.

from auth.

Because if I use

const err = new mercurius.ErrorWithProps('UNAUTHORIZED');
err.statusCode = 200
throw err

it throws Property 'statusCode' does not exist on type 'ErrorWithProps'

Both js and typedefs in fact does not reference any statusCode property (and the base class Error does not have one)

from auth.

I saw you guys published [email protected] that brings what discussed here.
However, my code still returns 500 as http status

 app.register(mercuriusAuth, {
            authContext(context) {
                return {
                    authorization: context.reply.request.headers.authorization
                };
            },
            async applyPolicy(authDirectiveAST, _parent, _args, context) {
                if (!context.auth?.authorization) {
                    const err = new mercurius.ErrorWithProps('UNAUTHENTICATED');
                    err.statusCode = 200
                    throw err
                }

                const { roles } = context.app.jwt.verify(context.auth.authorization);

                if (authDirectiveAST.arguments && authDirectiveAST.arguments.length > 0) {
                    const role = authDirectiveAST.arguments[0].value as EnumValueNode;
                    return roles.includes(role.value);
                }

                const err = new mercurius.ErrorWithProps('UNAUTHORIZED');
                err.statusCode = 200
                throw err
            },
            authDirective: 'auth'
        });

Is worth nothing to say that using

throw new mercurius.ErrorWithProps('UNAUTHORIZED', undefined, 200);

does not change the result.

"fastify": "3.22.0"
"fastify-jwt": "3.1.0"
"mercurius": "8.6.0"
"mercurius-auth": "1.2.1"

from auth.

Will take a look this evening!

from auth.

@artecoop the work to fix this has been merged and released in mercurius v9.0.0, can you confirm that it is working as expected? mercurius-js/mercurius#599

from auth.

@jonnydgreen yes, i can confim it work as expected now. Sorry for being late to answer. I'll close this issue as resolved

from auth.

no worries at all! And thanks

from auth.