I don’t think the errors field is the correct place though 100% of the time.
Use cases:
- I have access to some contacts but not all, so when I use
queryContactI would not want to get an error if I receive no contacts because that could be expected based upon user. - However, if I ask for a specific
getContactthat I do not have access to but does exist, some developers may find it helpful to get a error message, but other developers may not want to expose through error message that something even exists there. Think users with email address as id. Exposing that something did exist but you don’t have access, could potentially open up a security whole because now an attacker knows they have a valid username/email address. Then the attacker can focus on Phishing that user for their password instead of keep on trying to find a valid user. Those developers would want to return null with no error. This use case could easily apply to mutations in the same manner.
Maybe this can be a configurable option? Maybe it should return data in the extension instead of the error
2020 Q3 there was a topic somewhere based upon information getting exposed through error messages and the API was changed to help conceal these errors for the second case above.