chore: audit PostGraphile (#22)

enisdenjo · github-actions[bot] · web-flow · commit e1f21d0fd251 · 2022-11-15T14:55:38.000+01:00
Co-authored-by: github-actions[bot] &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/audits.yml b/.github/workflows/audits.yml
@@ -225,6 +225,34 @@ jobs:
           name: hotchocolate-report
           path: README.md
 
+  postgraphile:
+    runs-on: ubuntu-latest
+    if: "!contains(github.event.head_commit.message, '[skip ci]')"
+    env:
+      PORT: 4000
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set up node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+          cache: yarn
+      - name: Install
+        run: yarn install --immutable
+      - name: Build
+        run: yarn build:esm
+      - name: Start
+        run: yarn workspace postgraphile start -d --wait
+      # TODO: cache docker build artifacts
+      - name: Audit
+        run: node scripts/audit-implementation.mjs README.md
+      - name: Upload report
+        uses: actions/upload-artifact@v3
+        with:
+          name: postgraphile-report
+          path: README.md
+
   report:
     name: Report
     runs-on: ubuntu-latest
@@ -239,6 +267,7 @@ jobs:
         graph-client,
         thegraph,
         hotchocolate,
+        postgraphile,
       ]
     steps:
       - name: Checkout
@@ -285,6 +314,11 @@ jobs:
         with:
           name: hotchocolate-report
           path: implementations/hotchocolate
+      - name: Download postgraphile report
+        uses: actions/download-artifact@v3
+        with:
+          name: postgraphile-report
+          path: implementations/postgraphile
       - name: Commit
         run: |
           git config user.name "github-actions[bot]"
diff --git a/README.md b/README.md
@@ -733,6 +733,7 @@ If you want a feature-full server with bleeding edge technologies, you're recomm
 | ------------------------------------------------------------------ | -------------------------------------------------------------------- |
 | [graphql-yoga](https://www.the-guild.dev/graphql/yoga-server)      | [✅ Compliant (0 warnings)](/implementations/graphql-yoga/README.md) |
 | [hotchocolate](https://chillicream.com/docs/hotchocolate)          | [✅ Compliant (0 warnings)](/implementations/hotchocolate/README.md) |
+| [postgraphile](https://www.graphile.org/postgraphile/)             | [✅ Compliant](/implementations/postgraphile/README.md)              |
 | [apollo-server](https://www.apollographql.com/docs/apollo-server/) | [✅ Compliant](/implementations/apollo-server/README.md)             |
 | [mercurius](https://mercurius.dev)                                 | [✅ Compliant](/implementations/mercurius/README.md)                 |
 
diff --git a/implementations/postgraphile/Dockerfile b/implementations/postgraphile/Dockerfile
@@ -0,0 +1,3 @@
+FROM node:18
+
+RUN npm install -g postgraphile@4
diff --git a/implementations/postgraphile/README.md b/implementations/postgraphile/README.md
@@ -0,0 +1,188 @@
+_* This report was auto-generated by graphql-http_
+
+# GraphQL over HTTP audit report
+
+- **73** audits in total
+- ✅ **39** pass
+- ⚠️ **34** warnings (optional)
+
+## Passing
+1. MUST accept application/json and match the content-type
+2. MUST use utf-8 encoding when responding
+3. MUST accept utf-8 encoding
+4. MUST assume utf-8 if encoding is unspecified
+5. MUST accept POST requests
+6. MAY NOT allow executing mutations on GET requests
+7. SHOULD respond with 4xx status code if content-type is not supplied on POST requests
+8. MUST accept application/json POST requests
+9. MUST require a request body on POST
+10. SHOULD use 400 status code on missing {query} parameter when accepting application/graphql-response+json
+11. SHOULD use 400 status code on number {query} parameter when accepting application/graphql-response+json
+12. SHOULD use 400 status code on boolean {query} parameter when accepting application/graphql-response+json
+13. SHOULD allow string {query} parameter when accepting application/graphql-response+json
+14. MUST allow string {query} parameter when accepting application/json
+15. SHOULD use 400 status code on object {operationName} parameter when accepting application/graphql-response+json
+16. SHOULD use 400 status code on number {operationName} parameter when accepting application/graphql-response+json
+17. SHOULD use 400 status code on boolean {operationName} parameter when accepting application/graphql-response+json
+18. SHOULD use 400 status code on array {operationName} parameter when accepting application/graphql-response+json
+19. SHOULD allow string {operationName} parameter when accepting application/graphql-response+json
+20. MUST allow string {operationName} parameter when accepting application/json
+21. SHOULD use 400 status code on string {variables} parameter when accepting application/graphql-response+json
+22. SHOULD use 400 status code on number {variables} parameter when accepting application/graphql-response+json
+23. SHOULD use 400 status code on boolean {variables} parameter when accepting application/graphql-response+json
+24. SHOULD allow map {variables} parameter when accepting application/graphql-response+json
+25. MUST allow map {variables} parameter when accepting application/json
+26. SHOULD allow map {extensions} parameter when accepting application/graphql-response+json
+27. MUST allow map {extensions} parameter when accepting application/json
+28. SHOULD use 4xx or 5xx status codes on JSON parsing failure when accepting application/graphql-response+json
+29. SHOULD use 400 status code on JSON parsing failure when accepting application/graphql-response+json
+30. SHOULD not contain the data entry on JSON parsing failure when accepting application/graphql-response+json
+31. SHOULD use 4xx or 5xx status codes if parameters are invalid when accepting application/graphql-response+json
+32. SHOULD use 400 status code if parameters are invalid when accepting application/graphql-response+json
+33. SHOULD not contain the data entry if parameters are invalid when accepting application/graphql-response+json
+34. SHOULD use 4xx or 5xx status codes on document parsing failure when accepting application/graphql-response+json
+35. SHOULD use 400 status code on document parsing failure when accepting application/graphql-response+json
+36. SHOULD not contain the data entry on document parsing failure when accepting application/graphql-response+json
+37. SHOULD use 4xx or 5xx status codes on document validation failure when accepting application/graphql-response+json
+38. SHOULD use 400 status code on document validation failure when accepting application/graphql-response+json
+39. SHOULD not contain the data entry on document validation failure when accepting application/graphql-response+json
+
+## Warnings
+The server _SHOULD_ support these, but is not required.
+1. SHOULD accept application/graphql-response+json and match the content-type<br />
+```
+Content-Type header "application/json; charset=utf-8" does not contain "application/graphql-response+json"
+```
+2. SHOULD accept \*/\* and use application/graphql-response+json for the content-type<br />
+```
+Content-Type header "application/json; charset=utf-8" does not contain "application/graphql-response+json"
+```
+3. SHOULD assume application/graphql-response+json content-type when accept is missing<br />
+```
+Content-Type header "application/json; charset=utf-8" does not contain "application/graphql-response+json"
+```
+4. MAY accept application/x-www-form-urlencoded formatted GET requests<br />
+```
+Status code 405 is not 200
+```
+5. SHOULD use 200 status code with errors field on missing {query} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+6. SHOULD use 400 status code on object {query} parameter when accepting application/graphql-response+json<br />
+```
+Status code 500 is not 400
+```
+7. SHOULD use 400 status code on array {query} parameter when accepting application/graphql-response+json<br />
+```
+Status code 500 is not 400
+```
+8. SHOULD use 200 status code with errors field on object {query} parameter when accepting application/json<br />
+```
+Status code 500 is not 200
+```
+9. SHOULD use 200 status code with errors field on number {query} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+10. SHOULD use 200 status code with errors field on boolean {query} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+11. SHOULD use 200 status code with errors field on array {query} parameter when accepting application/json<br />
+```
+Status code 500 is not 200
+```
+12. SHOULD use 200 status code with errors field on object {operationName} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+13. SHOULD use 200 status code with errors field on number {operationName} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+14. SHOULD use 200 status code with errors field on boolean {operationName} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+15. SHOULD use 200 status code with errors field on array {operationName} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+16. SHOULD use 400 status code on array {variables} parameter when accepting application/graphql-response+json<br />
+```
+Status code 200 is not 400
+```
+17. SHOULD use 200 status code with errors field on string {variables} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+18. SHOULD use 200 status code with errors field on number {variables} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+19. SHOULD use 200 status code with errors field on boolean {variables} parameter when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+20. SHOULD use 200 status code with errors field on array {variables} parameter when accepting application/json<br />
+```
+Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
+```
+21. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/graphql-response+json<br />
+```
+Status code 405 is not 200
+```
+22. MAY allow URL-encoded JSON string {variables} parameter in GETs when accepting application/json<br />
+```
+Status code 405 is not 200
+```
+23. SHOULD use 400 status code on string {extensions} parameter when accepting application/graphql-response+json<br />
+```
+Status code 200 is not 400
+```
+24. SHOULD use 400 status code on number {extensions} parameter when accepting application/graphql-response+json<br />
+```
+Status code 200 is not 400
+```
+25. SHOULD use 400 status code on boolean {extensions} parameter when accepting application/graphql-response+json<br />
+```
+Status code 200 is not 400
+```
+26. SHOULD use 400 status code on array {extensions} parameter when accepting application/graphql-response+json<br />
+```
+Status code 200 is not 400
+```
+27. SHOULD use 200 status code with errors field on string {extensions} parameter when accepting application/json<br />
+```
+Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
+```
+28. SHOULD use 200 status code with errors field on number {extensions} parameter when accepting application/json<br />
+```
+Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
+```
+29. SHOULD use 200 status code with errors field on boolean {extensions} parameter when accepting application/json<br />
+```
+Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
+```
+30. SHOULD use 200 status code with errors field on array {extensions} parameter when accepting application/json<br />
+```
+Execution result {"data":{"__typename":"Query"}} does not have a property 'errors'
+```
+31. SHOULD use 200 status code on JSON parsing failure when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+32. SHOULD use 200 status code if parameters are invalid when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+33. SHOULD use 200 status code on document parsing failure when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+34. SHOULD use 200 status code on document validation failure when accepting application/json<br />
+```
+Status code 400 is not 200
+```
+
diff --git a/implementations/postgraphile/docker-compose.yml b/implementations/postgraphile/docker-compose.yml
@@ -0,0 +1,25 @@
+services:
+  database:
+    image: postgres:15
+    environment:
+      - POSTGRES_HOST_AUTH_METHOD=trust
+    healthcheck:
+      test: pg_isready -U postgres || exit 1
+      interval: 3s
+      timeout: 1s
+  server:
+    build: .
+    depends_on:
+      database:
+        condition: service_healthy
+    environment:
+      - PGHOST=database
+      - PGUSER=postgres
+      - PORT=${PORT}
+    ports:
+      - ${PORT}:${PORT}
+    entrypoint: postgraphile --host 0.0.0.0 --port ${PORT}
+    healthcheck:
+      test: "curl -f -H 'content-type: application/json' -d '{ \"query\": \"{ __typename }\" }' http://localhost:$$PORT/graphql || exit 1"
+      interval: 3s
+      timeout: 1s
diff --git a/implementations/postgraphile/package.json b/implementations/postgraphile/package.json
@@ -0,0 +1,8 @@
+{
+  "private": true,
+  "name": "postgraphile",
+  "packageManager": "yarn@3.2.3",
+  "scripts": {
+    "start": "docker compose up --build"
+  }
+}
diff --git a/yarn.lock b/yarn.lock
@@ -10181,6 +10181,12 @@ __metadata:
   languageName: node
   linkType: hard
 
+"postgraphile@workspace:implementations/postgraphile":
+  version: 0.0.0-use.local
+  resolution: "postgraphile@workspace:implementations/postgraphile"
+  languageName: unknown
+  linkType: soft
+
 "prelude-ls@npm:^1.2.1":
   version: 1.2.1
   resolution: "prelude-ls@npm:1.2.1"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+FROM node:18`
	`2`	`+`
	`3`	`+RUN npm install -g postgraphile@4`