fraiseql-server 2.3.0

HTTP server for FraiseQL v2 GraphQL engine
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

//! Global error sanitization middleware.
//!
//! Intercepts all HTTP error responses (4xx/5xx) and sanitizes internal details
//! before they reach the client. Covers both GraphQL and REST API endpoints,
//! replacing the previous approach of manual `ErrorSanitizer::sanitize()` calls
//! at each error site.
//!
//! Successful responses (2xx/3xx) are passed through without body inspection.

use std::sync::Arc;

use axum::{
    body::Body,
    extract::State,
    http::{Request, StatusCode, header},
    middleware::Next,
    response::{IntoResponse, Response},
};

use crate::config::error_sanitization::ErrorSanitizer;

/// Maximum error response body size we'll read for sanitization (256 KiB).
/// Larger error bodies are passed through unsanitized to prevent DoS.
const MAX_ERROR_BODY_BYTES: usize = 256 * 1024;

/// Axum middleware that sanitizes error responses globally.
///
/// Intercepts responses with 4xx/5xx status codes that have a JSON content-type,
/// parses the body, sanitizes internal details from the `errors` array (GraphQL)
/// or `message`/`detail` fields (REST), and re-serializes.
///
/// Successful responses and non-JSON error responses are passed through unchanged.
///
/// # Errors
///
/// Returns the original response unchanged if body parsing or re-serialization fails.
pub async fn error_sanitization_middleware(
    State(sanitizer): State<Arc<ErrorSanitizer>>,
    request: Request<Body>,
    next: Next,
) -> Response {
    if !sanitizer.is_enabled() {
        return next.run(request).await;
    }

    let response = next.run(request).await;

    // Only inspect error responses (4xx/5xx)
    if response.status().is_success() || response.status().is_redirection() {
        return response;
    }

    // Only inspect JSON responses
    let is_json = response
        .headers()
        .get(header::CONTENT_TYPE)
        .and_then(|v| v.to_str().ok())
        .is_some_and(|ct| ct.contains("application/json"));

    if !is_json {
        return response;
    }

    // Decompose the response to preserve status, headers, and version

    // Read the body (with size limit to prevent DoS)
    let (parts, body) = response.into_parts();
    let body_bytes = match axum::body::to_bytes(body, MAX_ERROR_BODY_BYTES).await {
        Ok(bytes) => bytes,
        Err(_) => return StatusCode::INTERNAL_SERVER_ERROR.into_response(),
    };

    // Try to parse as JSON and sanitize
    let sanitized_bytes = match serde_json::from_slice::<serde_json::Value>(&body_bytes) {
        Ok(mut json) => {
            sanitize_json_error(&sanitizer, &mut json);
            match serde_json::to_vec(&json) {
                Ok(bytes) => bytes,
                Err(_) => body_bytes.to_vec(),
            }
        },
        Err(_) => body_bytes.to_vec(),
    };

    // Reconstruct response with original status, headers, and version
    let body_len = sanitized_bytes.len();
    let mut response = Response::from_parts(parts, Body::from(sanitized_bytes));
    // Update content-length since the body may have changed size
    response.headers_mut().insert(header::CONTENT_LENGTH, body_len.into());
    response
}

/// Sanitize a JSON error response in-place.
///
/// Handles two formats:
/// - **GraphQL**: `{ "errors": [{ "message": "...", "code": "...", "extensions": { "detail": "..."
///   } }] }`
/// - **REST**: `{ "message": "...", "detail": "..." }`
pub(crate) fn sanitize_json_error(sanitizer: &ErrorSanitizer, json: &mut serde_json::Value) {
    // GraphQL format: sanitize each error in the "errors" array
    if let Some(errors) = json.get_mut("errors").and_then(|e| e.as_array_mut()) {
        for error in errors {
            sanitize_single_error(sanitizer, error);
        }
    }

    // REST format: sanitize top-level "message" and "detail"
    if json.get("errors").is_none() {
        sanitize_single_error(sanitizer, json);
    }
}

/// Sanitize a single error object.
///
/// Strips internal details from `InternalServerError` and `DatabaseError` codes.
fn sanitize_single_error(sanitizer: &ErrorSanitizer, error: &mut serde_json::Value) {
    let code = error.get("code").and_then(|c| c.as_str()).unwrap_or("");

    let is_internal = matches!(code, "INTERNAL_SERVER_ERROR" | "DATABASE_ERROR");

    if is_internal {
        // Delegate to the ErrorSanitizer for message replacement
        // Build a temporary GraphQLError, sanitize, extract the message
        if let Some(message) = error.get("message").and_then(|m| m.as_str()) {
            let code_enum = if code == "DATABASE_ERROR" {
                crate::error::ErrorCode::DatabaseError
            } else {
                crate::error::ErrorCode::InternalServerError
            };
            let temp = crate::error::GraphQLError::new(message, code_enum);
            let sanitized = sanitizer.sanitize(temp);
            error["message"] = serde_json::Value::String(sanitized.message);
        }
    }

    // Strip implementation details from extensions
    if let Some(extensions) = error.get_mut("extensions") {
        if let Some(obj) = extensions.as_object_mut() {
            obj.remove("detail");
        }
    }
}