chore: audit @apollo/server

enisdenjo · enisdenjo · commit bad53662d458 · 2022-11-08T10:57:45.000+01:00
diff --git a/.github/workflows/audits.yml b/.github/workflows/audits.yml
@@ -37,7 +37,7 @@ jobs:
           name: express-graphql-report
           path: README.md
 
-  apollo-server:
+  apollo-server_v4:
     runs-on: ubuntu-latest
     if: "!contains(github.event.head_commit.message, '[skip ci]')"
     env:
@@ -55,13 +55,40 @@ jobs:
       - name: Build
         run: yarn build:esm
       - name: Start
-        run: yarn workspace apollo-server start &
+        run: yarn workspace apollo-server_v4 start &
       - name: Audit
         run: node scripts/audit-implementation.mjs README.md
       - name: Upload report
         uses: actions/upload-artifact@v3
         with:
-          name: apollo-server-report
+          name: apollo-server_v4-report
+          path: README.md
+
+  apollo-server_v3:
+    runs-on: ubuntu-latest
+    if: "!contains(github.event.head_commit.message, '[skip ci]')"
+    env:
+      PORT: 4000
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set up node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+          cache: yarn
+      - name: Install
+        run: yarn install --immutable
+      - name: Build
+        run: yarn build:esm
+      - name: Start
+        run: yarn workspace apollo-server_v3 start &
+      - name: Audit
+        run: node scripts/audit-implementation.mjs README.md
+      - name: Upload report
+        uses: actions/upload-artifact@v3
+        with:
+          name: apollo-server_v3-report
           path: README.md
 
   mercurius:
@@ -204,7 +231,8 @@ jobs:
     needs:
       [
         express-graphql,
-        apollo-server,
+        apollo-server_v4,
+        apollo-server_v3,
         mercurius,
         graphql-yoga,
         graphql-helix,
@@ -221,11 +249,16 @@ jobs:
         with:
           name: express-graphql-report
           path: implementations/express-graphql
-      - name: Download apollo-server report
+      - name: Download apollo-server_v3 report
+        uses: actions/download-artifact@v3
+        with:
+          name: apollo-server_v3-report
+          path: implementations/apollo-server_v3
+      - name: Download apollo-server_v4 report
         uses: actions/download-artifact@v3
         with:
-          name: apollo-server-report
-          path: implementations/apollo-server
+          name: 'apollo-server_v4-report'
+          path: implementations/apollo-server_v4
       - name: Download mercurius report
         uses: actions/download-artifact@v3
         with:
diff --git a/README.md b/README.md
@@ -729,12 +729,13 @@ Having said this, graphql-http is mostly aimed for library authors and simple se
 
 If you want a feature-full server with bleeding edge technologies, you're recommended to use one of the following.
 
-| Name                                                           | Audit                                                              |
-| -------------------------------------------------------------- | ------------------------------------------------------------------ |
-| [graphql-yoga](https://www.the-guild.dev/graphql/yoga-server)  | [✅ Fully compliant](/implementations/graphql-yoga/README.md)      |
-| [apollo-server](https://www.the-guild.dev/graphql/yoga-server) | [✅ Partially compliant](/implementations/apollo-server/README.md) |
-| [mercurius](https://mercurius.dev)                             | [✅ Partially compliant](/implementations/mercurius/README.md)     |
-| [graphql-helix](https://www.graphql-helix.com/)                | [✅ Partially compliant](/implementations/graphql-helix/README.md) |
+| Name                                                                    | Audit                                                                 |
+| ----------------------------------------------------------------------- | --------------------------------------------------------------------- |
+| [graphql-yoga](https://www.the-guild.dev/graphql/yoga-server)           | [✅ Fully compliant](/implementations/graphql-yoga/README.md)         |
+| [apollo-server_v3](https://www.apollographql.com/docs/apollo-server/v3) | [✅ Partially compliant](/implementations/apollo-server_v3/README.md) |
+| [mercurius](https://mercurius.dev)                                      | [✅ Partially compliant](/implementations/mercurius/README.md)        |
+| [graphql-helix](https://www.graphql-helix.com/)                         | [✅ Partially compliant](/implementations/graphql-helix/README.md)    |
+| [apollo-server_v4](https://www.apollographql.com/docs/apollo-server/)   | [⚠️ Not compliant](/implementations/apollo-server_v4/README.md)       |
 
 ## [Documentation](docs/)
 
diff --git a/implementations/apollo-server_v3/README.md b/implementations/apollo-server_v3/README.md
diff --git a/implementations/apollo-server_v3/index.mjs b/implementations/apollo-server_v3/index.mjs
diff --git a/implementations/apollo-server_v3/package.json b/implementations/apollo-server_v3/package.json
@@ -1,6 +1,6 @@
 {
   "private": true,
-  "name": "apollo-server",
+  "name": "apollo-server_v3",
   "packageManager": "yarn@3.2.3",
   "main": "index.mjs",
   "scripts": {
diff --git a/implementations/apollo-server_v4/README.md b/implementations/apollo-server_v4/README.md
@@ -0,0 +1,173 @@
+_* This report was auto-generated by graphql-http_
+
+# GraphQL over HTTP audit report
+
+- **73** audits in total
+- ✅ **44** pass
+- ⚠️ **29** warnings (optional)
+
+## Passing
+1. MUST accept application/json and match the content-type
+2. MUST use utf-8 encoding when responding
+3. MUST accept utf-8 encoding
+4. MUST assume utf-8 if encoding is unspecified
+5. MUST accept POST requests
+6. MAY accept application/x-www-form-urlencoded formatted GET requests
+7. MUST NOT allow executing mutations on GET requests
+8. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
+9. MUST accept application/json POST requests
+10. MUST require a request body on POST
+11. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json
+12. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json
+13. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json
+14. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json
+15. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json
+16. SHOULD allow string {query} parameter when accepting application/graphql-response+json
+17. MUST allow string {query} parameter when accepting application/json
+18. SHOULD use 400 status code on object {operationName} parameter when accepting application/graphql-response+json
+19. SHOULD use 400 status code on number {operationName} parameter when accepting application/graphql-response+json
+20. SHOULD use 400 status code on boolean {operationName} parameter when accepting application/graphql-response+json
+21. SHOULD use 400 status code on array {operationName} parameter when accepting application/graphql-response+json
+22. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json
+23. MUST allow string {operationName} parameter when accepting application/json
+24. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json
+25. SHOULD use 400 status code on number {variables} parameter when accepting application/graphql-response+json
+26. SHOULD use 400 status code on boolean {variables} parameter when accepting application/graphql-response+json
+27. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
+28. MUST allow map {variables} parameter when accepting application/json
+29. SHOULD allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json
+30. MUST allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json
+31. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json
+32. SHOULD allow map {extensions} parameter when accepting application/graphql-response+json
+33. MUST allow map {extensions} parameter when accepting application/json
+34. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json
+35. SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json
+36. SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json
+37. SHOULD use 400 status code if parameters are invalid when accepting application/graphql-response+json
+38. SHOULD not contain the data entry if parameters are invalid when accepting application/graphql-response+json
+39. SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
+40. SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
+41. SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json
+42. SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json
+43. SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
+44. SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json
+
+## Warnings
+The server _SHOULD_ support these, but is not required.
+1. SHOULD accept application/graphql-response+json and match the content-type<br />
+```
+Content-Type header "application/json; charset=utf-8" does not contain "application/graphql-response+json"
+```
+2. SHOULD accept \*/\* and use application/graphql-response+json for the content-type<br />
+```
+Content-Type header "application/json; charset=utf-8" does not contain "application/graphql-response+json"
+```
+3. SHOULD assume application/graphql-response+json content-type when accept is missing<br />
+```
+Content-Type header "application/json; charset=utf-8" does not contain "application/graphql-response+json"
+```
+4. SHOULD use 200 status code with errors field on missing {query} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+5. SHOULD use 200 status code with errors field on object {query} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+6. SHOULD use 200 status code with errors field on number {query} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+7. SHOULD use 200 status code with errors field on boolean {query} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+8. SHOULD use 200 status code with errors field on array {query} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+9. SHOULD use 200 status code with errors field on object {operationName} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+10. SHOULD use 200 status code with errors field on number {operationName} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+11. SHOULD use 200 status code with errors field on boolean {operationName} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+12. SHOULD use 200 status code with errors field on array {operationName} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+13. SHOULD use 400 status code on array {variables} parameter when accepting application/graphql-response+json<br />
+```
+Status code 200 is not 400
+```
+14. SHOULD use 200 status code with errors field on string {variables} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+15. SHOULD use 200 status code with errors field on number {variables} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+16. SHOULD use 200 status code with errors field on boolean {variables} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+17. SHOULD use 200 status code with errors field on array {variables} parameter when accepting application/json<br />
+```
+Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
+```
+18. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json<br />
+```
+Status code 200 is not 400
+```
+19. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json<br />
+```
+Status code 200 is not 400
+```
+20. SHOULD use 400 status code on array {extensions} parameter when accepting application/graphql-response+json<br />
+```
+Status code 200 is not 400
+```
+21. SHOULD use 200 status code with errors field on string {extensions} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+22. SHOULD use 200 status code with errors field on number {extensions} parameter when accepting application/json<br />
+```
+Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
+```
+23. SHOULD use 200 status code with errors field on boolean {extensions} parameter when accepting application/json<br />
+```
+Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
+```
+24. SHOULD use 200 status code with errors field on array {extensions} parameter when accepting application/json<br />
+```
+Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
+```
+25. SHOULD use 200 status code on JSON parsing failure when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+26. SHOULD use 200 status code if parameters are invalid when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+27. SHOULD use 200 status code on document parsing failure when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+28. SHOULD use 200 status code on document validation failure when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+29. SHOULD not contain the data entry on JSON parsing failure when accepting application/graphql-response+json<br />
+```
+Response body is not valid JSON. Got "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>SyntaxError: Unexpected end of JSON input<br> &nbsp; &nbsp;at JSON.parse (&lt;anonymous&gt;)<br> &nbsp; &nbsp;at parse (/home/runner/work/graphql-http/graphql-http/node_modules/body-parser/lib/types/json.js:89:19)<br> &nbsp; &nbsp;at /home/runner/work/graphql-http/graphql-http/node_modules/body-parser/lib/read.js:128:18<br> &nbsp; &nbsp;at AsyncResource.runInAsyncScope (node:async_hooks:203:9)<br> &nbsp; &nbsp;at invokeCallback (/home/runner/work/graphql-http/graphql-http/node_modules/raw-body/index.js:231:16)<br> &nbsp; &nbsp;at done (/home/runner/work/graphql-http/graphql-http/node_modules/raw-body/index.js:220:7)<br> &nbsp; &nbsp;at IncomingMessage.onEnd (/home/runner/work/graphql-http/graphql-http/node_modules/raw-body/index.js:280:7)<br> &nbsp; &nbsp;at IncomingMessage.emit (node:events:513:28)<br> &nbsp; &nbsp;at endReadableNT (node:internal/streams/rea...
+```
+
diff --git a/implementations/apollo-server_v4/index.mjs b/implementations/apollo-server_v4/index.mjs
@@ -0,0 +1,23 @@
+// @ts-check
+
+import { GraphQLSchema, GraphQLString, GraphQLObjectType } from 'graphql';
+import { ApolloServer } from '@apollo/server';
+import { startStandaloneServer } from '@apollo/server/standalone';
+
+const schema = new GraphQLSchema({
+  query: new GraphQLObjectType({
+    name: 'Query',
+    fields: {
+      _: {
+        type: GraphQLString,
+        resolve: () => '_',
+      },
+    },
+  }),
+});
+
+const server = new ApolloServer({ schema });
+
+startStandaloneServer(server, {
+  listen: { port: parseInt(process.env.PORT || '0') },
+});
diff --git a/implementations/apollo-server_v4/package.json b/implementations/apollo-server_v4/package.json
@@ -0,0 +1,13 @@
+{
+  "private": true,
+  "name": "apollo-server_v4",
+  "packageManager": "yarn@3.2.3",
+  "main": "index.mjs",
+  "scripts": {
+    "start": "node ."
+  },
+  "dependencies": {
+    "@apollo/server": "^4.1.1",
+    "graphql": "^16.6.0"
+  }
+}
diff --git a/package.json b/package.json
@@ -82,7 +82,7 @@
     "release": "semantic-release"
   },
   "workspaces": [
-    "implementations/*"
+    "implementations/**/*"
   ],
   "peerDependencies": {
     "graphql": ">=0.11 <=16"
diff --git a/yarn.lock b/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"private": true,`
`3`		`- "name": "apollo-server",`
	`3`	`+ "name": "apollo-server_v3",`
`4`	`4`	`"packageManager": "[email protected]",`
`5`	`5`	`"main": "index.mjs",`
`6`	`6`	`"scripts": {`