From 3b6bc0b6ebb30b068fceb5935088b64c67deb098 Mon Sep 17 00:00:00 2001 From: Matchu Date: Thu, 2 Nov 2023 16:35:11 -0700 Subject: [PATCH] Oops, add `Vary: Origin` to GraphQL requests Lol I guess we've probably just been having intermittent CORS issues forever, oops. I hope the cache has been mostly warmed on the right thing! But today I checked and the entire species/color picker on the Rails app wasn't working for CORS reasons, so like. Yeah oof. --- pages/api/graphql.js | 2 ++ src/server/index.js | 10 ++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/pages/api/graphql.js b/pages/api/graphql.js index 0a90711..bc31961 100644 --- a/pages/api/graphql.js +++ b/pages/api/graphql.js @@ -57,6 +57,8 @@ async function handle(req, res) { return res.status(204).end(); } + // NOTE: We also have `Vary: Origin` hardcoded into the Apollo implementation, + // since it has other `Vary` stuff going on that's hard to integrate with. await serverHandler(req, res); // As a sneaky trick, we require the Honeycomb trace to finish before the diff --git a/src/server/index.js b/src/server/index.js index 7b902e5..3344b1d 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -50,7 +50,7 @@ const schema = makeExecutableSchema( require("./types/PetAppearance"), require("./types/User"), require("./types/Zone"), - ]) + ]), ); const plugins = [cacheControlPluginFork({ calculateHttpHeaders: true })]; @@ -75,7 +75,7 @@ const config = { currentUserId = await getCurrentUserIdViaDb(req); } else { console.warn( - `Unexpected auth mode: ${JSON.stringify(authMode)}. Skipping auth.` + `Unexpected auth mode: ${JSON.stringify(authMode)}. Skipping auth.`, ); currentUserId = null; } @@ -99,7 +99,7 @@ const config = { res.setHeader( "Set-Cookie", `DTIAuthToken=${encodeURIComponent(JSON.stringify(authToken))}; ` + - `Max-Age=${60 * 60 * 24 * 7}; Secure; HttpOnly; SameSite=Strict` + `Max-Age=${60 * 60 * 24 * 7}; Secure; HttpOnly; SameSite=Strict`, ); } else { // Set a header to delete the cookie. (That is, empty and expired.) @@ -115,6 +115,8 @@ const config = { // for caching user data! That way, login/logout will refresh user data, // even if it was briefly cached. // + // We also put Vary: Origin, for compatibility with our CORS stuff! + // // NOTE: Our frontend JS only sends the Authorization header for user data // queries. For public data, the header will be absent, and different // users will still be able to share the same public cache data. @@ -122,7 +124,7 @@ const config = { // NOTE: At time of writing, I'm not sure we use this in app? I think all // current user data queries request fields with `maxAge: 0`. But I'm // adding it just to remove a potential surprise gotcha later! - context.response.http.headers.set("Vary", "Authorization"); + context.response.http.headers.set("Vary", "Authorization, Origin"); return res; },