fix(authorization): return null data and respect error location config for fully-unauthorized requests

[carodewig]

When the query planner rejects a request because all fields are unauthorized, the response was always returned with errors in the errors array and data: {} — ignoring the configured errors.response location and returning an empty object instead of null.

This fix makes fully-unauthorized requests go through the same error formatting path as partially-unauthorized ones, so the errors.response and errors.log configuration is respected consistently. It also corrects the response to return data: null instead of data: {}.

The shared logic is consolidated into methods on UnauthorizedPaths, replacing duplicated inline implementations in both execution/service.rs and query_planner_service.rs.

---

Checklist

Complete the checklist (and note appropriate exceptions) before the PR is marked ready-for-review.

• PR description explains the motivation for the change and relevant context for reviewing
• PR description links appropriate GitHub/Jira tickets (creating when necessary)
• Changeset is included for user-facing changes
• Changes are compatible¹
• Documentation² completed
• Performance impact assessed and acceptable
• Metrics and logs are added³ and documented
• Tests added and passing⁴
  • Unit tests
  • Integration tests
  • Manual tests, as necessary

Exceptions

Note any exceptions here

Notes

Footnotes

1. It may be appropriate to bring upcoming changes to the attention of other (impacted) groups. Please endeavour to do this before seeking PR approval. The mechanism for doing this will vary considerably, so use your judgement as to how and when to do this. ↩

2. Configuration is an important part of many changes. Where applicable please try to document configuration examples. ↩

3. A lot of (if not most) features benefit from built-in observability and debug-level logs. Please read this guidance on metrics best-practices. ↩

4. Tick whichever testing boxes are applicable. If you are adding Manual Tests, please document the manual testing (extensively) in the Exceptions. ↩

[apollo-librarian]

✅ Docs preview ready

The preview is ready to be viewed. View the preview

File Changes

0 new, 1 changed, 0 removed

* graphos/routing/(latest)/security/authorization.mdx

Build ID: 748f7ff34a0bce521d758871
Build Logs: View logs

URL: https://www.apollographql.com/docs/deploy-preview/748f7ff34a0bce521d758871

---

⚠️ AI Style Review — 2 Issues Found

Summary

This pull request updates the documentation to align with several style guide standards. Key changes include reframing content to be organization-centric and adopting a more authoritative voice by removing unopinionated phrasing like 'for your needs.' Technical accuracy was improved by applying active voice to clarify router actions and removing definite articles before standalone product names such as 'Router.' Additionally, formatting and word usage were refined by removing italics for general emphasis and replacing the term 'below' with 'following' in body text.

Duration: 2884ms
Review Log: View detailed log

This review is AI-generated. Please use common sense when accepting these suggestions, as they may not always be accurate or appropriate for your specific context.

[conwuegb]

LGTM