Error Handling

Error Handling

Plings follows GraphQL best-practices for surfacing errors to clients while safeguarding internal details.

GraphQL Error Shape

{
  "errors": [
    {
      "message": "Access denied: You do not have permission to view this object.",
      "path": ["object"],
      "extensions": { "code": "FORBIDDEN" }
    }
  ],
  "data": { "object": null }
}

Guidelines

1. Sanitise Messages – Never leak stack traces in production.
2. Error Codes – Use stable extensions.code values that clients can rely on (FORBIDDEN, UNAUTHENTICATED, BAD_INPUT, RATE_LIMITED, etc.).
3. HTTP Status – Always 200 OK; errors are in the JSON payload per GraphQL spec.
4. Logging – Internal logs capture full traceback & request metadata.
5. RLS Violations – Supabase returns 42501 (insufficient privilege) which is translated to FORBIDDEN at the resolver boundary.

Status: skeleton v0.1 – will include mapping table of Postgres/Neo4j error codes to GraphQL once finalised.