apollographql / apollo-kotlin

:rocket:  A strongly-typed, caching GraphQL client for the JVM, Android, and Kotlin multiplatform.
https://www.apollographql.com/docs/kotlin
MIT License
3.75k stars 651 forks source link

[RFC] Remove `X-APOLLO-...` custom headers #5345

Closed martinbonnin closed 8 months ago

martinbonnin commented 12 months ago

Description

Apollo Kotlin currently sends 2 extra headers by default with each request:

In order to simplify the code as well as align with other clients, we'd like to remove them.

The only usage we are aware of is to collaborate with CSRF prevention in Apollo Server and Apollo Router. This is useful under those conditions:

In those cases, Apollo Kotlin would add the Apollo-Require-Preflight that is more explicit about the intent of the headers.

If X-APOLLO-OPERATION-NAME or X-APOLLO-OPERATION-ID are still required, adding them back is as easy as:

  val apolloClient = ApolloClient.Builder()
      .addInterceptor(object : ApolloInterceptor {
        override fun <D : Operation.Data> intercept(request: ApolloRequest<D>, chain: ApolloInterceptorChain): Flow<ApolloResponse<D>> {
          return chain.proceed(request.newBuilder().addHttpHeader("X-APOLLO-REQUEST-NAME", request.operation.name()).build())
        }
      })
      .build()

Overall, we feel this is a win for the vast majority of users and the mitigation is quite easy for the others. If you feel otherwise, please comment. Feedbacks welcome! Timeline is doing it for v4 by the end of the year.

glasser commented 12 months ago

This will mean that the default behavior of Apollo Router and Apollo Server will be to block all GET requests from Apollo Kotlin. I'd encourage you to pair this with adding apollo-require-preflight to all GET requests.

glasser commented 12 months ago

(Previous comment was a response to the original version of the issue which has been edited. Note that this applies to Apollo Router as well as Apollo Server.)

martinbonnin commented 12 months ago

(Previous comment was a response to the original version of the issue which has been edited. Note that this applies to Apollo Router as well as Apollo Server.)

@glasser Yup, apologies about the edits and thank you so much for surfacing this. Initial post edited to: