Action Transforms: GET sends POST body and Content-Type header #7937
Description
Hi all, love the 2.1.0 release, congratulations.
Version Information
Server Version: 2.1.0
CLI Version (for CLI related issue):
Environment
Running on Heroku.
What is the expected behaviour?
When I use the new Action Transforms, I wish to be able to send a regular GET request, without extra headers or body.
Keywords
action transforms, get, post, headers
What is the current behaviour?
When I use a GET Action, Hasura overrides any Content-Type header with application/json and sends a body. This breaks certain APIs (such as Stripe) who are expecting a GET request to not have a body, nor a Content-Type header.
In Stripe's case, because of either the header or body (I don't know which), the GET request is instead treated as a malformed POST request, and the request fails.
How to reproduce the issue?
- Create a new Action.
- Set the webhook handler to one such as on webhook.site to test the request.
- Set a custom
Content-Typeheader
- Add a request option transformation, and select GET.
- OPTIONAL: Add a Payload Transformation, with a configured request body of
null, or[]or"". If you leave it blank, or don't complete this step, Hasura will assume that, instead of sending no body at all, you intended to remove the Payload Transform and send through the current payload as the body.
Screenshots or Screencast
Without a Payload transform
You can see how this GET request has overridden the content-type header to be application/json, despite me setting it to text/plain in my custom headers.
It also has a raw content of the original request.
With a Payload transform of null
Again, the content-type has been overridden with application/json and the body is set to the JSON value null. A body of null is different from not sending the body at all.
Any possible solutions?
When action transform method type is set to GET, do not provide a content-type header or send any body whatsoever. Note that this is different from setting content-type or body to null or empty string - the mere presence of the keys may confuse the receiver.
Alternatively, do not make this a GET only difference, and always allow the transformation definition to clearly say "Do not send a body / particular headers."
Can you identify the location in the source code where the problem exists?
I am not familiar with the source code, but my best guess would be line 496 in the Action executor:
It looks like the code first stamps on the headers and body as if it were a POST, and then applies further transformations. The code should avoid adding the headers and body until we know for sure this is a POST request, or the transformation should be able to strip them later.
If the bug is confirmed, would you be willing to submit a PR?
My Haskell is unfortunately not good enough to write the code myself.