Merge pull request from GHSA-8r69-3cvp-wxc3

In Apollo Server 2, plugins could not set HTTP response headers for HTTP-batched
operations; the headers would simply not be written in that case.

In Apollo Server 3, plugins can set HTTP response headers. They have
access to individual `response.http.headers` objects. In parallel, after
each operation is processed, any response headers it sets are copied to
a shared HTTP response header object. If multiple operations wrote the
same header, the one that finishes its processing last would "win",
without any smart merging.

Apollo Server 4 has the same overall behavior (though the details of the
particular objects in question have changed a bit).

Notably, this means that the `cache-control` response header set by the
cache control plugin had surprising behavior when combined with
batching. If you sent two operations in the same HTTP request with
different cache policies, the response header would be set based only on
one of their policies, not on the combination of the policies. This
could lead to saving data that should not be cached in a cache, or
saving data that should only be cached per-user (`private`) in a more
public cache.

To fix this, we are making a change to the
`GraphQLRequestContext.response` object as seen by plugins. This
object's `http` field is now shared across all operations in a batched
request, instead of being specific to the individual operation. This
means that any changes to headers (or HTTP status code) in plugins
processing one operation are immediately visible to plugins processing
another operation, and so they can properly merge header values.

**This change is technically backwards-incompatible.** However, as this
is a relatively subtle change and as Apollo Server 4 is very new and its
adoption is relatively low (we haven't even formally announced AS4 on
our blog yet), we feel comfortable making this change in a minor version
instead of in a new major version.

The cache control plugin is changed to merge `cache-control` response
headers across multiple operations in a batched request. Note that if
the `cache-control` header is ever set to any value that could not be
written by the cache control plugin, the plugin will refuse to update it
further so as not to lose information. (It is best to only set the
header from one place, and to disable the cache control plugin's
header-writing feature with `calculateHttpHeaders: false` if you want to
write the header from elsewhere.)

Additionally, a new `requestIsBatched: boolean` field is added to
`GraphQLRequestContext`. This isn't read by anything in this PR.
However, we will backport this field to Apollo Server 3, and use it to
disable cache-control header writing for batched requests. (Backporting
the full solution to AS3 would be challenging because the relevant data
structures are more complex, and making a backwards-incompatible change
to an older version like AS3 is more problematic.)

For more information, see
GHSA-8r69-3cvp-wxc3

Author: glasser

.changeset/curvy-cows-vanish.md

@@ -0,0 +1,6 @@
+---
+'@apollo/server-integration-testsuite': minor
+'@apollo/server': minor
+---
+
+The `cache-control` HTTP response header set by the cache control plugin now properly reflects the cache policy of all operations in a batched HTTP request. (If you write the `cache-control` response header via a different mechanism to a format that the plugin would not produce, the plugin no longer writes the header.) For more information, see [advisory GHSA-8r69-3cvp-wxc3](https://github.com/apollographql/apollo-server/security/advisories/GHSA-8r69-3cvp-wxc3).

.changeset/curvy-kiwis-work.md

@@ -0,0 +1,6 @@
+---
+'@apollo/server-integration-testsuite': minor
+'@apollo/server': minor
+---
+
+Plugins processing multiple operations in a batched HTTP request now have a shared `requestContext.request.http` object. Changes to HTTP response headers and HTTP status code made by plugins operating on one operation can be immediately seen by plugins operating on other operations in the same HTTP request.

.changeset/honest-kiwis-poke.md

@@ -0,0 +1,6 @@
+---
+'@apollo/server-integration-testsuite': minor
+'@apollo/server': minor
+---
+
+New field `GraphQLRequestContext.requestIsBatched` available to plugins.

packages/integration-testsuite/src/httpServerTests.ts

@@ -794,7 +794,18 @@ export function defineIntegrationTestSuiteHttpServerTests(
       });
 
       it('can handle a basic request', async () => {
-        const app = await createApp();
+        let requestIsBatched: boolean | undefined;
+        const app = await createApp({
+          schema,
+          allowBatchedHttpRequests: true,
+          plugins: [
+            {
+              async requestDidStart(requestContext) {
+                requestIsBatched = requestContext.requestIsBatched;
+              },
+            },
+          ],
+        });
         const expected = {
           testString: 'it works',
         };
@@ -807,6 +818,7 @@ export function defineIntegrationTestSuiteHttpServerTests(
           'application/json; charset=utf-8',
         );
         expect(res.body.data).toEqual(expected);
+        expect(requestIsBatched).toEqual(false);
       });
 
       it.each([
@@ -897,6 +909,9 @@ export function defineIntegrationTestSuiteHttpServerTests(
             books: [Book]
             cooks: [Cook]
             pooks: [Pook]
+            uncached: ID
+            ten: ID @cacheControl(maxAge: 10)
+            twenty: ID @cacheControl(maxAge: 20, scope: PRIVATE)
           }
 
           enum CacheControlScope {
@@ -928,6 +943,98 @@ export function defineIntegrationTestSuiteHttpServerTests(
           expect(res.headers['cache-control']).toEqual('max-age=200, public');
         });
 
+        it('applies cacheControl Headers for batched operation', async () => {
+          const app = await createApp({
+            typeDefs,
+            resolvers,
+            allowBatchedHttpRequests: true,
+          });
+          {
+            const res = await request(app)
+              .post('/')
+              .send([{ query: '{ten}' }, { query: '{twenty}' }]);
+            expect(res.status).toEqual(200);
+            expect(res.body).toMatchInlineSnapshot(`
+            [
+              {
+                "data": {
+                  "ten": null,
+                },
+              },
+              {
+                "data": {
+                  "twenty": null,
+                },
+              },
+            ]
+          `);
+            expect(res.headers['cache-control']).toEqual('max-age=10, private');
+          }
+          {
+            const res = await request(app)
+              .post('/')
+              .send([{ query: '{twenty}' }, { query: '{ten}' }]);
+            expect(res.status).toEqual(200);
+            expect(res.body).toMatchInlineSnapshot(`
+            [
+              {
+                "data": {
+                  "twenty": null,
+                },
+              },
+              {
+                "data": {
+                  "ten": null,
+                },
+              },
+            ]
+          `);
+            expect(res.headers['cache-control']).toEqual('max-age=10, private');
+          }
+          {
+            const res = await request(app)
+              .post('/')
+              .send([{ query: '{uncached}' }, { query: '{ten}' }]);
+            expect(res.status).toEqual(200);
+            expect(res.body).toMatchInlineSnapshot(`
+            [
+              {
+                "data": {
+                  "uncached": null,
+                },
+              },
+              {
+                "data": {
+                  "ten": null,
+                },
+              },
+            ]
+          `);
+            expect(res.headers['cache-control']).toEqual('no-store');
+          }
+          {
+            const res = await request(app)
+              .post('/')
+              .send([{ query: '{ten}' }, { query: '{uncached}' }]);
+            expect(res.status).toEqual(200);
+            expect(res.body).toMatchInlineSnapshot(`
+            [
+              {
+                "data": {
+                  "ten": null,
+                },
+              },
+              {
+                "data": {
+                  "uncached": null,
+                },
+              },
+            ]
+          `);
+            expect(res.headers['cache-control']).toEqual('no-store');
+          }
+        });
+
         it('applies cacheControl Headers with if-cacheable', async () => {
           const app = await createApp({
             typeDefs,
@@ -1276,7 +1383,18 @@ export function defineIntegrationTestSuiteHttpServerTests(
       });
 
       it('can handle batch requests', async () => {
-        const app = await createApp({ schema, allowBatchedHttpRequests: true });
+        let requestIsBatched: boolean | undefined;
+        const app = await createApp({
+          schema,
+          allowBatchedHttpRequests: true,
+          plugins: [
+            {
+              async requestDidStart(requestContext) {
+                requestIsBatched = requestContext.requestIsBatched;
+              },
+            },
+          ],
+        });
         const expected = [
           {
             data: {
@@ -1289,7 +1407,7 @@ export function defineIntegrationTestSuiteHttpServerTests(
             },
           },
         ];
-        const req = request(app)
+        const res = await request(app)
           .post('/')
           .send([
             {
@@ -1306,13 +1424,12 @@ export function defineIntegrationTestSuiteHttpServerTests(
               operationName: 'testX',
             },
           ]);
-        return req.then((res) => {
-          expect(res.status).toEqual(200);
-          expect(res.body).toEqual(expected);
-          expect(res.header['content-length']).toEqual(
-            Buffer.byteLength(res.text, 'utf8').toString(),
-          );
-        });
+        expect(res.status).toEqual(200);
+        expect(res.body).toEqual(expected);
+        expect(res.header['content-length']).toEqual(
+          Buffer.byteLength(res.text, 'utf8').toString(),
+        );
+        expect(requestIsBatched).toBe(true);
       });
 
       it('can handle non-batch requests when allowBatchedHttpRequests is true', async () => {

packages/server/src/ApolloServer.ts

@@ -1197,6 +1197,7 @@ export class ApolloServer<in out TContext extends BaseContext = BaseContext> {
         graphQLRequest,
         internals: this.internals,
         schemaDerivedData,
+        sharedResponseHTTPGraphQLHead: null,
       },
       options,
     );
@@ -1215,11 +1216,13 @@ export async function internalExecuteOperation<TContext extends BaseContext>(
     graphQLRequest,
     internals,
     schemaDerivedData,
+    sharedResponseHTTPGraphQLHead,
   }: {
     server: ApolloServer<TContext>;
     graphQLRequest: GraphQLRequest;
     internals: ApolloServerInternals<TContext>;
     schemaDerivedData: SchemaDerivedData;
+    sharedResponseHTTPGraphQLHead: HTTPGraphQLHead | null;
   },
   options: ExecuteOperationOptions<TContext>,
 ): Promise<GraphQLResponse> {
@@ -1229,7 +1232,7 @@ export async function internalExecuteOperation<TContext extends BaseContext>(
     schema: schemaDerivedData.schema,
     request: graphQLRequest,
     response: {
-      http: newHTTPGraphQLHead(),
+      http: sharedResponseHTTPGraphQLHead ?? newHTTPGraphQLHead(),
     },
     // We clone the context because there are some assumptions that every operation
     // execution has a brand new context object; specifically, in order to implement
@@ -1249,6 +1252,7 @@ export async function internalExecuteOperation<TContext extends BaseContext>(
     contextValue: cloneObject(options?.contextValue ?? ({} as TContext)),
     metrics: {},
     overallCachePolicy: newCachePolicy(),
+    requestIsBatched: sharedResponseHTTPGraphQLHead !== null,
   };
 
   try {

packages/server/src/externalTypes/requestPipeline.ts

@@ -70,6 +70,13 @@ export interface GraphQLRequestContext<TContext extends BaseContext> {
   readonly metrics: GraphQLRequestMetrics;
 
   readonly overallCachePolicy: CachePolicy;
+
+  /**
+   * True if this request is part of a potentially multi-operation batch. Note
+   * that if this is true, `response.http` will be shared with the other
+   * operations in the batch.
+   */
+  readonly requestIsBatched: boolean;
 }
 
 export type GraphQLRequestContextDidResolveSource<

packages/server/src/httpBatching.ts

@@ -11,53 +11,58 @@ import type {
 import { newHTTPGraphQLHead, runHttpQuery } from './runHttpQuery.js';
 import { BadRequestError } from './internalErrorClasses.js';
 
-export async function runBatchHttpQuery<TContext extends BaseContext>(
-  server: ApolloServer<TContext>,
-  batchRequest: HTTPGraphQLRequest,
-  body: unknown[],
-  contextValue: TContext,
-  schemaDerivedData: SchemaDerivedData,
-  internals: ApolloServerInternals<TContext>,
-): Promise<HTTPGraphQLResponse> {
+async function runBatchedHttpQuery<TContext extends BaseContext>({
+  server,
+  batchRequest,
+  body,
+  contextValue,
+  schemaDerivedData,
+  internals,
+}: {
+  server: ApolloServer<TContext>;
+  batchRequest: HTTPGraphQLRequest;
+  body: unknown[];
+  contextValue: TContext;
+  schemaDerivedData: SchemaDerivedData;
+  internals: ApolloServerInternals<TContext>;
+}): Promise<HTTPGraphQLResponse> {
   if (body.length === 0) {
     throw new BadRequestError('No operations found in request.');
   }
 
-  const combinedResponseHead = newHTTPGraphQLHead();
+  // This single HTTPGraphQLHead is shared across all the operations in the
+  // batch. This means that any changes to response headers or status code from
+  // one operation can be immediately seen by other operations. Plugins that set
+  // response headers or status code can then choose to combine the data they
+  // are setting with data that may already be there from another operation as
+  // they choose.
+  const sharedResponseHTTPGraphQLHead = newHTTPGraphQLHead();
   const responseBodies = await Promise.all(
     body.map(async (bodyPiece: unknown) => {
       const singleRequest: HTTPGraphQLRequest = {
         ...batchRequest,
         body: bodyPiece,
       };
 
-      const response = await runHttpQuery(
+      const response = await runHttpQuery({
         server,
-        singleRequest,
+        httpRequest: singleRequest,
         contextValue,
         schemaDerivedData,
         internals,
-      );
+        sharedResponseHTTPGraphQLHead,
+      });
 
       if (response.body.kind === 'chunked') {
         throw Error(
           'Incremental delivery is not implemented for batch requests',
         );
       }
-      for (const [key, value] of response.headers) {
-        // Override any similar header set in other responses.
-        combinedResponseHead.headers.set(key, value);
-      }
-      // If two responses both want to set the status code, one of them will win.
-      // Note that the normal success case leaves status empty.
-      if (response.status) {
-        combinedResponseHead.status = response.status;
-      }
       return response.body.string;
     }),
   );
   return {
-    ...combinedResponseHead,
+    ...sharedResponseHTTPGraphQLHead,
     body: { kind: 'complete', string: `[${responseBodies.join(',')}]` },
   };
 }
@@ -77,23 +82,24 @@ export async function runPotentiallyBatchedHttpQuery<
       Array.isArray(httpGraphQLRequest.body)
     )
   ) {
-    return await runHttpQuery(
+    return await runHttpQuery({
       server,
-      httpGraphQLRequest,
+      httpRequest: httpGraphQLRequest,
       contextValue,
       schemaDerivedData,
       internals,
-    );
+      sharedResponseHTTPGraphQLHead: null,
+    });
   }
   if (internals.allowBatchedHttpRequests) {
-    return await runBatchHttpQuery(
+    return await runBatchedHttpQuery({
       server,
-      httpGraphQLRequest,
-      httpGraphQLRequest.body as unknown[],
+      batchRequest: httpGraphQLRequest,
+      body: httpGraphQLRequest.body as unknown[],
       contextValue,
       schemaDerivedData,
       internals,
-    );
+    });
   }
   throw new BadRequestError('Operation batching disabled.');
 }