NullReferenceException in AuthorizationValidationRule when query/mutation/parameter name is invalid #61
Description
After registering the authorization classes as follows:
public static void AddGraphQLAuth(this IServiceCollection services)
{
services.TryAddSingleton<IHttpContextAccessor, HttpContextAccessor>();
services.TryAddSingleton<IAuthorizationEvaluator, AuthorizationEvaluator>();
services.AddTransient<IValidationRule, AuthorizationValidationRule>();
services.TryAddSingleton(s =>
{
var authSettings = new AuthorizationSettings();
authSettings.AddPolicy("AdminPolicy", _ => _.RequireClaim("role", "Admin"));
return authSettings;
});
}
When a consumer tries to execute a query or a mutation that doesn't exist or to pass a parameter that doesn't exist:
mutation {
addDevelper(
id: "b07b3e4e-ea3c-42fc-9c76-40cbdec25ff5",
name:"john",
surname: "smith",
skills: [
{ Name: "C#", Score: 10 },
{ Name: "JS", Score: 7 }
])
}
The endpoint returns:
{
"errors": [
{
"message": "GraphQL.ExecutionError: Object reference not set to an instance of an object. ---> System.NullReferenceException: Object reference not set to an instance of an object.\r\n at GraphQL.Authorization.AuthorizationValidationRule.<>c__DisplayClass2_1.<Validate>b__2(ObjectField objectFieldAst)\r\n at GraphQL.Validation.EnterLeaveListener.GraphQL.Validation.INodeVisitor.Enter(INode node)\r\n at GraphQL.Validation.BasicVisitor.Visit(INode node)\r\n at
[..]
GraphQL.Validation.BasicVisitor.Visit(INode node)\r\n at GraphQL.Validation.DocumentValidator.Validate(String originalQuery, ISchema schema, Document document, IEnumerable`1 rules, Object userContext, Inputs inputs)\r\n at GraphQL.DocumentExecuter.ExecuteAsync(ExecutionOptions options)\r\n --- End of inner exception stack trace ---",
"extensions": {
"code": "NULL_REFERENCE"
}
}
]
}
This only happens if at least one parameter is an object (as the elements of the skills array).
The expected behaviour is that the endpoint returns the same error message it would return if the authorization classes weren't registered:
{
"errors": [
{
"message": "GraphQL.Validation.ValidationError: Cannot query field \"addDevelper\" on type \"Mutation\". Did you mean \"addDeveloper\"?",
[..]
}
]
}
I don't know the library well enough to understand why context.TypeInfo.GetArgument() is returning null for invalid queries/mutations, but replacing line 40 of AuthorizationValidationRule.cs:
var argumentType = context.TypeInfo.GetArgument().ResolvedType.GetNamedType() as IComplexGraphType;
with
var argumentType = context.TypeInfo.GetArgument()?.ResolvedType.GetNamedType() as IComplexGraphType;
appears to fix the problem.
If the solution is valid, I can create a PR.