Using the current_user data producer makes response uncacheable

[dulnan]

When using the current_user data producer the response becomes uncacheable. This is because of this line:

https://github.com/drupal-graphql/graphql/blob/bf9dea39bedc0546df43018fddd398abf545b885/src/Plugin/GraphQL/DataProducer/User/CurrentUser.php#L73

As $this->currentUser is not an instance of CacheableDependencyInterface, the addCacheableDependency() method in RefinableCacheableDependencyTrait will fall back to setting the max age to 0:

https://git.drupalcode.org/project/drupal/-/blob/11.x/core/lib/Drupal/Core/Cache/RefinableCacheableDependencyTrait.php#L23

One option to fix this would be to not set any cacheability at all and leave this up to the consumers of the producer. But that would introduce quite a breaking change, as queries would suddenly become cacheable.

An alternative fix would be to implement a default behaviour that adds the user context (or sets the max age to 0), but introduces a new argument on the producer to prevent this from being done. That way existing implementation still work as before, while making it possible to customise the cacheability when needed.

Happy to do a merge request once the best approach has been found!

[pfrenssen]

I also hit this when using the CurrentUser data producer.

The documentation is clear on what is the intention: the data should be cached per user so that previously logged in users do not leak to newly logged in users. The bug causes the result to be always uncacheable which also effectively prevents data from leaking.

I think the fix is to simply add the user cache context. This will achieve the intended result.