feat(audit): graphql-response+json parsing failure handling

DoctorJohn · DoctorJohn · commit caffcae3be75 · 2025-06-25T18:59:43.000+02:00
Relevant section: 6.4.2 application/graphql-response+json https://graphql.github.io/graphql-over-http/draft/#sel-FANNNRCAACENz5F https://graphql.github.io/graphql-over-http/draft/#sel-HANNNXFFCAACCP8kC
diff --git a/src/audits/server.ts b/src/audits/server.ts
@@ -586,6 +586,21 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
         ressert(res).status.toBe(400);
       },
     ),
+    audit(
+      'B7N8',
+      'SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json',
+      async () => {
+        const res = await fetchFn(await getUrl(opts.url), {
+          method: 'POST',
+          headers: {
+            'content-type': 'application/json',
+            accept: 'application/graphql-response+json',
+          },
+          body: '{ "not a JSON',
+        });
+        ressert(res).status.toBe(400);
+      },
+    ),
     audit(
       '8764',
       'MAY use 4xx or 5xx status codes if parameters are invalid',
diff --git a/tests/__snapshots__/audits.test.ts.snap b/tests/__snapshots__/audits.test.ts.snap
@@ -194,6 +194,10 @@ exports[`should not change globally unique audit ids 1`] = `
     "id": "BCF8",
     "name": "MAY use 400 status code on JSON parsing failure",
   },
+  {
+    "id": "B7N8",
+    "name": "SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json",
+  },
   {
     "id": "8764",
     "name": "MAY use 4xx or 5xx status codes if parameters are invalid",
