java validation errors in graphql

[raoua-eng]

Describe the bug

I'm experiensing validation in GraphQL inputs with the Java Bean Validation API and I tried to customize message errors by using the expression language (EL) as below :

@Size(value = 5, message = "{ '${validatedValue}' must be at least {value} characters long. Length found : '${validatedValue.length()}'}")
private String civility;

Then in the graphql playground if we added a wrong civility with an invalid charachter long, here must be at least 5 we get this message error :

"message": "validation failed: updateAdherent.adherent.civility : 'TESTEST' must be at least 5 characters long. Length found : '${validatedValue.length()}'

Expected behavior

In the message error should be :

"message": "validation failed: updateAdherent.adherent.civility : 'TESTEST' must be at least 5 characters long. Length found : '7'

Actual behavior

"message": "validation failed: updateAdherent.adherent.civility : 'TESTEST' must be at least 5 characters long. Length found : '${validatedValue.length()}'

How to Reproduce?

As a reproducer we start by the GraphQL input

import java.time.LocalDate;
import javax.json.bind.annotation.JsonbDateFormat;
import javax.validation.constraints.Email;
import javax.validation.constraints.NotBlank;
import javax.validation.constraints.Past;
import lombok.AllArgsConstructor;
import lombok.Builder;
import lombok.Data;
import lombok.NoArgsConstructor;

@Builder
@Data
@AllArgsConstructor
@NoArgsConstructor
public class CreatePersonUseCaseInput {
    @NotBlank(message="'${validatedValue}' cannot be null")
    private String name;
    @Past(message="Date must be in past. found '${validatedValue}'")
    @JsonbDateFormat(value = "dd/MM/yyyy")
    private LocalDate dateOfBirth;
    @Email(message="email should be valid")
    private String email;
  @Size(value = 5, message = "{ '${validatedValue}' must be at least {value} characters long. Length found : '${validatedValue.length()}'}")
  private String civility;
}

then the mutation code:

@Mutation
    @Description("create person")
    public String createPerson(@Valid @Name("person")CreatePersonUseCaseInput input) {
        /*
         * do something
         * */
        return "successful creation";
    }

Lastly the query in the graphql playground is

mutation{
  createPerson(
    person:{
      name:"test"
      dateOfBirth: "12/03/2002"
      email: "test.test@gg"
      civility: "TESTEST"
    }
  )
}

Output of uname -a or ver

No response

Output of java -version

"1.8.0_265"

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.5.1.Final

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

[quarkus-bot]

/cc @jmartisk, @phillip-kruger

[jmartisk]

@gsmet could you have a look? To me it looks like a HV issue, not specific to GraphQL

[gsmet]

@raoua-eng it would help if you could put together a full reproducer (i.e. a Maven project containing everything needed to reproduce the issue). Thanks!

[raoua-eng]

@gsmet Feel free to use a reproducer I made for this issue: https://github.com/raoua-eng/Quarkus

[raoua-eng]

@gsmet do you think the issue is related to EL restrictions NONE, VARIABLES, BEAN_PROPERTIES(default), BEAN_METHODS ?

[gsmet]

Yes exactly.

The default allows you to use bean properties but not call methods on beans. Thus why you cannot use the length() method.

I wonder if we should have some sort of allow list allowing some of the harmless but very useful methods. @yrodiere any opinion on that? It makes things a bit blurry though.

Also, for now, you cannot configure the default expression language level in Quarkus, we need to fix it.

[yrodiere]

I wonder if we should have some sort of allow list allowing some of the harmless but very useful methods. @yrodiere any opinion on that? It makes things a bit blurry though.

Meh. Not a fan of things that needs to be updated continuously, and that list probably would. Maybe if it can be customized by users somehow...

Regardless, I think the main problem here is that users are not warned that their attempt to call a method is being ignored, and they are not provided with a helpful message telling them what to change in their application to make it work. But I suppose we don't have a way to warn something every time a method call is ignored? It doesn't work that way?

Also, for now, you cannot configure the default expression language level in Quarkus, we need to fix it.

👍

[raoua-eng]

Thanks and I hope it will be fixed soon.

[gsmet]

I created a PR for that here: #23877

[gsmet]

2.7.3.Final has been released and you can now configure the behavior with:

quarkus.hibernate-validator.expression-language.constraint-expression-feature-level=bean-methods

[raoua-eng]

Great :) thank you for your support