SachaG
commented
6 years ago Why not. If you're just passing this to the server I don't think it can be a security issue?
Closed Apollinaire closed 6 years ago
SachaG
commented
6 years ago Why not. If you're just passing this to the server I don't think it can be a security issue?
I think it could be a good idea to pass the request headers along in the context, to allow logging internally. This can be done by adding a single line here: https://github.com/VulcanJS/Vulcan/blob/485f7bad379ba3021278e3cf8de0f2ad23bf6be4/packages/vulcan-lib/lib/server/apollo_server.js#L184
options.context.headers = req.headers;It could be useful to add it in the mutators too as said here : https://github.com/VulcanJS/Vulcan/blob/485f7bad379ba3021278e3cf8de0f2ad23bf6be4/packages/vulcan-lib/lib/server/mutators.js#L104
My only problem is wether we should pass the Authorization header, that might be a possible security issue?