ACP2E-4194: GraphQL Exception in SWAT

Author: dhorytskyi

app/code/Magento/GraphQl/Controller/GraphQl.php

@@ -24,6 +24,7 @@
 use Magento\Framework\GraphQl\Exception\GraphQlAuthenticationException;
 use Magento\Framework\GraphQl\Exception\GraphQlAuthorizationException;
 use Magento\Framework\GraphQl\Exception\GraphQlInputException;
+use Magento\Framework\GraphQl\Exception\InvalidRequestInterface;
 use Magento\Framework\GraphQl\Query\Fields as QueryFields;
 use Magento\Framework\GraphQl\Query\QueryParser;
 use Magento\Framework\GraphQl\Query\QueryProcessor;
@@ -34,7 +35,6 @@
 use Magento\GraphQl\Helper\Query\Logger\LogData;
 use Magento\GraphQl\Model\Query\ContextFactoryInterface;
 use Magento\GraphQl\Model\Query\Logger\LoggerPool;
-use Throwable;
 
 /**
  * Front controller for web API GraphQL area.
@@ -242,15 +242,15 @@ public function dispatch(RequestInterface $request): ResponseInterface
      *
      * @param Exception $e
      * @return array
-     * @throws Throwable
      */
     private function handleGraphQlException(Exception $e): array
     {
         [$error, $statusCode] = match (true) {
-            $e instanceof GraphQlInputException => [FormattedError::createFromException($e), 200],
+            $e instanceof InvalidRequestInterface => [FormattedError::createFromException($e), $e->getStatusCode()],
             $e instanceof SyntaxError => [FormattedError::createFromException($e), 400],
             $e instanceof GraphQlAuthenticationException => [$this->graphQlError->create($e), 401],
             $e instanceof GraphQlAuthorizationException => [$this->graphQlError->create($e), 403],
+            $e instanceof GraphQlInputException => [FormattedError::createFromException($e), 200],
             default => [$this->graphQlError->create($e), ExceptionFormatter::HTTP_GRAPH_QL_SCHEMA_ERROR_STATUS],
         };
 
@@ -293,19 +293,19 @@ private function getDataFromRequest(RequestInterface $request): array
             $content = $request->getContent();
             try {
                 $data = $this->jsonSerializer->unserialize($content);
-            } catch (\InvalidArgumentException $e) {
+            } catch (\InvalidArgumentException) {
                 $source = new Source($content);
-                throw new SyntaxError($source, 0, $e->getMessage());
+                throw new SyntaxError($source, 0, 'Unable to parse the request.');
             }
         } elseif ($request->isGet()) {
             $data = $request->getParams();
             try {
                 $data['variables'] = !empty($data['variables']) && is_string($data['variables'])
                     ? $this->jsonSerializer->unserialize($data['variables'])
                     : null;
-            } catch (\InvalidArgumentException $e) {
+            } catch (\InvalidArgumentException) {
                 $source = new Source($data['variables']);
-                throw new SyntaxError($source, 0, $e->getMessage());
+                throw new SyntaxError($source, 0, 'Unable to parse the variables.');
             }
         }
 

app/code/Magento/GraphQl/Controller/HttpRequestValidator/ContentTypeValidator.php

@@ -1,14 +1,15 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2019 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);
 
 namespace Magento\GraphQl\Controller\HttpRequestValidator;
 
 use Magento\Framework\App\HttpRequestInterface;
-use Magento\Framework\GraphQl\Exception\GraphQlInputException;
+use Magento\Framework\GraphQl\Exception\UnsupportedMediaTypeException;
+use Magento\Framework\Phrase;
 use Magento\GraphQl\Controller\HttpRequestValidatorInterface;
 
 /**
@@ -21,7 +22,7 @@ class ContentTypeValidator implements HttpRequestValidatorInterface
      *
      * @param HttpRequestInterface $request
      * @return void
-     * @throws GraphQlInputException
+     * @throws UnsupportedMediaTypeException
      */
     public function validate(HttpRequestInterface $request) : void
     {
@@ -32,8 +33,8 @@ public function validate(HttpRequestInterface $request) : void
         if ($request->isPost()
             && strpos($headerValue, $requiredHeaderValue) === false
         ) {
-            throw new GraphQlInputException(
-                new \Magento\Framework\Phrase('Request content type must be application/json')
+            throw new UnsupportedMediaTypeException(
+                new Phrase('Request content type must be application/json')
             );
         }
     }

app/code/Magento/GraphQl/Controller/HttpRequestValidator/HttpVerbValidator.php

@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2019 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);
 
@@ -13,7 +13,7 @@
 use Magento\Framework\App\HttpRequestInterface;
 use Magento\Framework\App\ObjectManager;
 use Magento\Framework\App\Request\Http;
-use Magento\Framework\GraphQl\Exception\GraphQlInputException;
+use Magento\Framework\GraphQl\Exception\MethodNotAllowedException;
 use Magento\Framework\GraphQl\Query\QueryParser;
 use Magento\Framework\Phrase;
 use Magento\GraphQl\Controller\HttpRequestValidatorInterface;
@@ -41,7 +41,7 @@ public function __construct(?QueryParser $queryParser = null)
      *
      * @param HttpRequestInterface $request
      * @return void
-     * @throws GraphQlInputException
+     * @throws MethodNotAllowedException
      */
     public function validate(HttpRequestInterface $request): void
     {
@@ -63,7 +63,7 @@ public function validate(HttpRequestInterface $request): void
                 );
 
                 if ($operationType !== null && strtolower($operationType) === 'mutation') {
-                    throw new GraphQlInputException(
+                    throw new MethodNotAllowedException(
                         new Phrase('Mutation requests allowed only for POST requests')
                     );
                 }

dev/tests/integration/testsuite/Magento/GraphQl/Controller/GraphQlControllerTest.php

@@ -9,19 +9,28 @@
 
 use Magento\Catalog\Api\Data\ProductInterface;
 use Magento\Catalog\Api\ProductRepositoryInterface;
+use Magento\Framework\App\Area;
 use Magento\Framework\App\Request\Http;
 use Magento\Framework\EntityManager\MetadataPool;
+use Magento\Framework\GraphQl\Exception\GraphQlInputException;
 use Magento\Framework\Serialize\SerializerInterface;
+use Magento\TestFramework\Fixture\AppArea;
+use Magento\TestFramework\Fixture\DataFixture;
+use Magento\TestFramework\Fixture\DbIsolation;
 use Magento\TestFramework\Helper\Bootstrap;
+use PHPUnit\Framework\Attributes\CoversClass;
 
 /**
  * Tests the dispatch method in the GraphQl Controller class using a simple product query
  *
- * @magentoAppArea graphql
- * @magentoDataFixture Magento/Catalog/_files/product_simple_with_url_key.php
- * @magentoDbIsolation disabled
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
+#[
+    CoversClass(GraphQl::class),
+    AppArea(Area::AREA_GRAPHQL),
+    DbIsolation(false),
+    DataFixture('Magento/Catalog/_files/product_simple_with_url_key.php'),
+]
 class GraphQlControllerTest extends \Magento\TestFramework\Indexer\TestCase
 {
     /** @var \Magento\Framework\ObjectManagerInterface */
@@ -54,8 +63,8 @@ public static function setUpBeforeClass(): void
 
     protected function setUp(): void
     {
-        $this->objectManager = \Magento\TestFramework\Helper\Bootstrap::getObjectManager();
-        $this->graphql = $this->objectManager->get(\Magento\GraphQl\Controller\GraphQl::class);
+        $this->objectManager = Bootstrap::getObjectManager();
+        $this->graphql = $this->objectManager->get(GraphQl::class);
         $this->jsonSerializer = $this->objectManager->get(SerializerInterface::class);
         $this->metadataPool = $this->objectManager->get(MetadataPool::class);
         $this->request = $this->objectManager->get(Http::class);
@@ -243,24 +252,17 @@ public function testError() : void
             ->addHeaders(['Content-Type' => 'application/json']);
         $this->request->setHeaders($headers);
         $response = $this->graphql->dispatch($this->request);
+        self::assertEquals(200, $response->getStatusCode());
+
         $outputResponse = $this->jsonSerializer->unserialize($response->getContent());
-        if (isset($outputResponse['errors'][0])) {
-            if (is_array($outputResponse['errors'][0])) {
-                foreach ($outputResponse['errors'] as $error) {
-                    $this->assertEquals(
-                        \Magento\Framework\GraphQl\Exception\GraphQlInputException::EXCEPTION_CATEGORY,
-                        $error['extensions']['category']
-                    );
-                    if (isset($error['message'])) {
-                        $this->assertEquals($error['message'], 'Invalid entity_type specified: invalid');
-                    }
-                    if (isset($error['trace'])) {
-                        if (is_array($error['trace'])) {
-                            $this->assertNotEmpty($error['trace']);
-                        }
-                    }
-                }
-            }
+        self::assertArrayHasKey('errors', $outputResponse);
+        self::assertNotEmpty($outputResponse['errors']);
+
+        $error = $outputResponse['errors'][0];
+        self::assertEquals(GraphQlInputException::EXCEPTION_CATEGORY, $error['extensions']['category']);
+        self::assertEquals('Invalid entity_type specified: invalid', $error['message']);
+        if (isset($error['trace']) && is_array($error['trace'])) {
+            self::assertNotEmpty($error['trace']);
         }
     }
 
@@ -349,7 +351,7 @@ public function testDispatchPostWithInvalidJson(): void
         self::assertArrayHasKey('errors', $output);
         self::assertNotEmpty($output['errors']);
         self::assertArrayHasKey('message', $output['errors'][0]);
-        self::assertEquals('Unable to parse the request.', $output['errors'][0]['message']);
+        self::assertEquals('Syntax Error: Unable to parse the request.', $output['errors'][0]['message']);
     }
 
     public function testDispatchPostWithWrongContentType(): void
@@ -371,11 +373,31 @@ public function testDispatchPostWithWrongContentType(): void
         $this->request->setMethod('POST');
         $this->request->setContent(json_encode($postData));
         $response = $this->graphql->dispatch($this->request);
-        self::assertEquals(400, $response->getStatusCode());
+        self::assertEquals(415, $response->getStatusCode());
         $output = $this->jsonSerializer->unserialize($response->getContent());
         self::assertArrayHasKey('errors', $output);
         self::assertNotEmpty($output['errors']);
         self::assertArrayHasKey('message', $output['errors'][0]);
         self::assertEquals('Request content type must be application/json', $output['errors'][0]['message']);
     }
+
+    public function testDispatchGetWithMutation(): void
+    {
+        $query = <<<QUERY
+mutation {
+    createEmptyCart
+}
+QUERY;
+
+        $this->request->setPathInfo('/graphql');
+        $this->request->setMethod('GET');
+        $this->request->setQueryValue('query', $query);
+        $response = $this->graphql->dispatch($this->request);
+        self::assertEquals(405, $response->getStatusCode());
+        $output = $this->jsonSerializer->unserialize($response->getContent());
+        self::assertArrayHasKey('errors', $output);
+        self::assertNotEmpty($output['errors']);
+        self::assertArrayHasKey('message', $output['errors'][0]);
+        self::assertEquals('Mutation requests allowed only for POST requests', $output['errors'][0]['message']);
+    }
 }

lib/internal/Magento/Framework/GraphQl/Exception/InvalidRequestInterface.php

@@ -0,0 +1,23 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\Framework\GraphQl\Exception;
+
+use Throwable;
+
+/**
+ * Interface for providing response status code when invalid GraphQL request is detected.
+ */
+interface InvalidRequestInterface extends Throwable
+{
+    /**
+     * HTTP status code to be returned with the response.
+     *
+     * @return int
+     */
+    public function getStatusCode(): int;
+}

lib/internal/Magento/Framework/GraphQl/Exception/MethodNotAllowedException.php

@@ -0,0 +1,46 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\Framework\GraphQl\Exception;
+
+use GraphQL\Error\ClientAware;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Phrase;
+
+class MethodNotAllowedException extends LocalizedException implements InvalidRequestInterface, ClientAware
+{
+    /**
+     * @param Phrase $phrase
+     * @param \Exception|null $cause
+     * @param int $code
+     * @param bool $isSafe
+     */
+    public function __construct(
+        Phrase $phrase,
+        ?\Exception $cause = null,
+        int $code = 0,
+        private readonly bool $isSafe = true,
+    ) {
+        parent::__construct($phrase, $cause, $code);
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function getStatusCode(): int
+    {
+        return 405;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function isClientSafe(): bool
+    {
+        return $this->isSafe;
+    }
+}

lib/internal/Magento/Framework/GraphQl/Exception/UnsupportedMediaTypeException.php

@@ -0,0 +1,46 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\Framework\GraphQl\Exception;
+
+use GraphQL\Error\ClientAware;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Phrase;
+
+class UnsupportedMediaTypeException extends LocalizedException implements InvalidRequestInterface, ClientAware
+{
+    /**
+     * @param Phrase $phrase
+     * @param \Exception|null $cause
+     * @param int $code
+     * @param bool $isSafe
+     */
+    public function __construct(
+        Phrase $phrase,
+        ?\Exception $cause = null,
+        int $code = 0,
+        private readonly bool $isSafe = true,
+    ) {
+        parent::__construct($phrase, $cause, $code);
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function getStatusCode(): int
+    {
+        return 415;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function isClientSafe(): bool
+    {
+        return $this->isSafe;
+    }
+}

lib/internal/Magento/Framework/GraphQl/Schema/SchemaGenerator.php

@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2018 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);
 

lib/internal/Magento/Framework/GraphQl/Schema/Type/TypeRegistry.php

@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2019 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);