OpenNeo/impress-2020
OpenNeo/impress-2020
1
0
Fork 0
Code Pull requests Activity

Oops, add Vary: Origin to GraphQL requests

Browse source 
Lol I guess we've probably just been having intermittent CORS issues
forever, oops. I hope the cache has been mostly warmed on the right
thing! But today I checked and the entire species/color picker on the
Rails app wasn't working for CORS reasons, so like. Yeah oof.
This commit is contained in:
Emi Matchu 2023-11-02 16:35:11 -07:00
parent 23f1f53b64
commit 3b6bc0b6eb
2 changed files with 8 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pages/api/graphql.js
View file

@ -57,6 +57,8 @@ async function handle(req, res) {
return res.status(204).end(); return res.status(204).end();
} }
// NOTE: We also have `Vary: Origin` hardcoded into the Apollo implementation,
// since it has other `Vary` stuff going on that's hard to integrate with.
await serverHandler(req, res); await serverHandler(req, res);
// As a sneaky trick, we require the Honeycomb trace to finish before the // As a sneaky trick, we require the Honeycomb trace to finish before the

10
src/server/index.js
View file

@ -50,7 +50,7 @@ const schema = makeExecutableSchema(
require("./types/PetAppearance"), require("./types/PetAppearance"),
require("./types/User"), require("./types/User"),
require("./types/Zone"), require("./types/Zone"),
]) ]),
); );
const plugins = [cacheControlPluginFork({ calculateHttpHeaders: true })]; const plugins = [cacheControlPluginFork({ calculateHttpHeaders: true })];
@ -75,7 +75,7 @@ const config = {
currentUserId = await getCurrentUserIdViaDb(req); currentUserId = await getCurrentUserIdViaDb(req);
} else { } else {
console.warn( console.warn(
`Unexpected auth mode: ${JSON.stringify(authMode)}. Skipping auth.` `Unexpected auth mode: ${JSON.stringify(authMode)}. Skipping auth.`,
); );
currentUserId = null; currentUserId = null;
} }
@ -99,7 +99,7 @@ const config = {
res.setHeader( res.setHeader(
"Set-Cookie", "Set-Cookie",
`DTIAuthToken=${encodeURIComponent(JSON.stringify(authToken))}; ` + `DTIAuthToken=${encodeURIComponent(JSON.stringify(authToken))}; ` +
`Max-Age=${60 * 60 * 24 * 7}; Secure; HttpOnly; SameSite=Strict` `Max-Age=${60 * 60 * 24 * 7}; Secure; HttpOnly; SameSite=Strict`,
); );
} else { } else {
// Set a header to delete the cookie. (That is, empty and expired.) // Set a header to delete the cookie. (That is, empty and expired.)
@ -115,6 +115,8 @@ const config = {
// for caching user data! That way, login/logout will refresh user data, // for caching user data! That way, login/logout will refresh user data,
// even if it was briefly cached. // even if it was briefly cached.
// //
// We also put Vary: Origin, for compatibility with our CORS stuff!
//
// NOTE: Our frontend JS only sends the Authorization header for user data // NOTE: Our frontend JS only sends the Authorization header for user data
// queries. For public data, the header will be absent, and different // queries. For public data, the header will be absent, and different
// users will still be able to share the same public cache data. // users will still be able to share the same public cache data.
@ -122,7 +124,7 @@ const config = {
// NOTE: At time of writing, I'm not sure we use this in app? I think all // NOTE: At time of writing, I'm not sure we use this in app? I think all
// current user data queries request fields with `maxAge: 0`. But I'm // current user data queries request fields with `maxAge: 0`. But I'm
// adding it just to remove a potential surprise gotcha later! // adding it just to remove a potential surprise gotcha later!
context.response.http.headers.set("Vary", "Authorization"); context.response.http.headers.set("Vary", "Authorization, Origin");
return res; return res;
}, },