Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC] Remove X-APOLLO-... custom headers #5345

Closed
martinbonnin opened this issue Nov 2, 2023 · 3 comments
Closed

[RFC] Remove X-APOLLO-... custom headers #5345

martinbonnin opened this issue Nov 2, 2023 · 3 comments

Comments

@martinbonnin
Copy link
Contributor

martinbonnin commented Nov 2, 2023
edited
Loading

Description

Apollo Kotlin currently sends 2 extra headers by default with each request:

  • X-APOLLO-OPERATION-NAME
  • X-APOLLO-OPERATION-ID

In order to simplify the code as well as align with other clients, we'd like to remove them.

The only usage we are aware of is to collaborate with CSRF prevention in Apollo Server and Apollo Router. This is useful under those conditions:

  • using Apollo Server or Router and
    • sending GraphQL File Uploads (which we discourage)
    • or using GET requests (for APQs or something else)

In those cases, Apollo Kotlin would add the Apollo-Require-Preflight that is more explicit about the intent of the headers.

If X-APOLLO-OPERATION-NAME or X-APOLLO-OPERATION-ID are still required, adding them back is as easy as:

  val apolloClient = ApolloClient.Builder()
      .addInterceptor(object : ApolloInterceptor {
        override fun <D : Operation.Data> intercept(request: ApolloRequest<D>, chain: ApolloInterceptorChain): Flow<ApolloResponse<D>> {
          return chain.proceed(request.newBuilder().addHttpHeader("X-APOLLO-REQUEST-NAME", request.operation.name()).build())
        }
      })
      .build()

Overall, we feel this is a win for the vast majority of users and the mitigation is quite easy for the others. If you feel otherwise, please comment. Feedbacks welcome!
Timeline is doing it for v4 by the end of the year.
@glasser
Copy link
Member

glasser commented Nov 2, 2023

This will mean that the default behavior of Apollo Router and Apollo Server will be to block all GET requests from Apollo Kotlin. I'd encourage you to pair this with adding apollo-require-preflight to all GET requests.

@glasser
Copy link
Member

glasser commented Nov 2, 2023

(Previous comment was a response to the original version of the issue which has been edited. Note that this applies to Apollo Router as well as Apollo Server.)

@martinbonnin
Copy link
Contributor Author

(Previous comment was a response to the original version of the issue which has been edited. Note that this applies to Apollo Router as well as Apollo Server.)

@glasser Yup, apologies about the edits and thank you so much for surfacing this. Initial post edited to:

  • mention GET requests
  • mention Apollo-Require-Preflight (any preference about the casing here?) for both GET and uploads
  • mention Apollo Router in addition to Apollo Server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@glasser @martinbonnin @bignimbus