LYNX-319 401 and 403 HTTP response codes for GraphQL API

Author: cod40403

app/code/Magento/CustomerGraphQl/Controller/HttpRequestValidator/AuthorizationRequestValidator.php

@@ -0,0 +1,59 @@
+<?php
+/**
+ * Copyright 2024 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\CustomerGraphQl\Controller\HttpRequestValidator;
+
+use Magento\Framework\App\HttpRequestInterface;
+use Magento\Framework\Exception\AuthorizationException;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthenticationException;
+use Magento\GraphQl\Controller\HttpRequestValidatorInterface;
+use Magento\Integration\Api\Exception\UserTokenException;
+use Magento\Integration\Api\UserTokenReaderInterface;
+use Magento\Integration\Api\UserTokenValidatorInterface;
+
+class AuthorizationRequestValidator implements HttpRequestValidatorInterface
+{
+    private const AUTH = 'Authorization';
+    private const BEARER = 'bearer';
+    /**
+     * AuthorizationRequestValidator Constructor
+     *
+     * @param UserTokenReaderInterface $tokenReader
+     * @param UserTokenValidatorInterface $tokenValidator
+     */
+    public function __construct(
+        private readonly UserTokenReaderInterface $tokenReader,
+        private readonly UserTokenValidatorInterface $tokenValidator
+    ) {
+    }
+
+    /**
+     * Validate the authorization header bearer token if it is set
+     *
+     * @param HttpRequestInterface $request
+     * @return void
+     * @throws GraphQlAuthenticationException
+     */
+    public function validate(HttpRequestInterface $request): void
+    {
+        $authorizationHeaderValue = $request->getHeader(self::AUTH);
+        if (!$authorizationHeaderValue) {
+            return;
+        }
+
+        $headerPieces = explode(' ', $authorizationHeaderValue);
+        if (count($headerPieces) !== 2 || strtolower($headerPieces[0]) !== self::BEARER) {
+            return;
+        }
+
+        try {
+            $this->tokenValidator->validate($this->tokenReader->read($headerPieces[1]));
+        } catch (UserTokenException | AuthorizationException $exception) {
+            throw new GraphQlAuthenticationException(__($exception->getMessage()));
+        }
+    }
+}

app/code/Magento/CustomerGraphQl/etc/graphql/di.xml

@@ -1,8 +1,8 @@
 <?xml version="1.0"?>
 <!--
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2024 Adobe
+ * All Rights Reserved.
  */
 -->
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
@@ -212,4 +212,11 @@
         <plugin name="merge_order_after_customer_signup"
                 type="Magento\CustomerGraphQl\Plugin\Model\MergeGuestOrder" />
     </type>
+    <type name="Magento\GraphQl\Controller\HttpRequestProcessor">
+        <arguments>
+            <argument name="requestValidators" xsi:type="array">
+                <item name="authorizationValidator" xsi:type="object">Magento\CustomerGraphQl\Controller\HttpRequestValidator\AuthorizationRequestValidator</item>
+            </argument>
+        </arguments>
+    </type>
 </config>

app/code/Magento/GraphQl/Controller/GraphQl.php

@@ -1,14 +1,13 @@
 <?php
-
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2024 Adobe
+ * All Rights Reserved.
  */
-
 declare(strict_types=1);
 
 namespace Magento\GraphQl\Controller;
 
+use Exception;
 use Magento\Framework\App\Area;
 use Magento\Framework\App\AreaList;
 use Magento\Framework\App\FrontControllerInterface;
@@ -24,6 +23,8 @@
 use Magento\Framework\GraphQl\Query\QueryProcessor;
 use Magento\Framework\GraphQl\Query\Resolver\ContextInterface;
 use Magento\Framework\GraphQl\Schema\SchemaGeneratorInterface;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthenticationException;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthorizationException;
 use Magento\Framework\Serialize\SerializerInterface;
 use Magento\Framework\Webapi\Response;
 use Magento\GraphQl\Helper\Query\Logger\LogData;
@@ -184,7 +185,7 @@ public function dispatch(RequestInterface $request): ResponseInterface
         $statusCode = 200;
         $jsonResult = $this->jsonFactory->create();
         $data = $this->getDataFromRequest($request);
-        $result = [];
+        $result = ['errors' => []];
 
         $schema = null;
         $query = $data['query'] ?? '';
@@ -205,8 +206,14 @@ public function dispatch(RequestInterface $request): ResponseInterface
                 $this->contextFactory->create(),
                 $data['variables'] ?? []
             );
-        } catch (\Exception $error) {
-            $result['errors'] = isset($result['errors']) ? $result['errors'] : [];
+            $statusCode = $this->getHttpResponseCode($result);
+        } catch (GraphQlAuthenticationException $error) {
+            $result['errors'][] = $this->graphQlError->create($error);
+            $statusCode = 401;
+        } catch (GraphQlAuthorizationException $error) {
+            $result['errors'][] = $this->graphQlError->create($error);
+            $statusCode = 403;
+        } catch (Exception $error) {
             $result['errors'][] = $this->graphQlError->create($error);
             $statusCode = ExceptionFormatter::HTTP_GRAPH_QL_SCHEMA_ERROR_STATUS;
         }
@@ -216,7 +223,7 @@ public function dispatch(RequestInterface $request): ResponseInterface
         $jsonResult->renderResult($this->httpResponse);
 
         // log information about the query, unless it is an introspection query
-        if (strpos($query, 'IntrospectionQuery') === false) {
+        if (!str_contains($query, 'IntrospectionQuery')) {
             $queryInformation = $this->logDataHelper->getLogData($request, $data, $schema, $this->httpResponse);
             $this->loggerPool->execute($queryInformation);
         }
@@ -247,4 +254,30 @@ private function getDataFromRequest(RequestInterface $request): array
 
         return $data;
     }
+
+    /**
+     * Retrieve http response code based on the error categories
+     *
+     * @param array $result
+     * @return int
+     */
+    private function getHttpResponseCode(array $result): int
+    {
+        if (empty($result['errors'])) {
+            return 200;
+        }
+        foreach ($result['errors'] as $error) {
+            if (!isset($error['extensions']['category'])) {
+                continue;
+            }
+            switch ($error['extensions']['category']) {
+                case GraphQlAuthenticationException::EXCEPTION_CATEGORY:
+                    return 401;
+                case GraphQlAuthorizationException::EXCEPTION_CATEGORY:
+                    return 403;
+            }
+        }
+
+        return 200;
+    }
 }