search

wundergraph / cosmo

The open-source solution to building, maintaining, and collaborating on GraphQL Federation at Scale. The alternative to Apollo Studio and GraphOS.
https://cosmo-docs.wundergraph.com/
Apache License 2.0
681 stars 97 forks source link

Incorrect ClientInfo Handling When Loading Persisted Operations from Cache #1179

Open janeli1 opened 6 days ago

janeli1 commented 6 days ago

Component(s)

router

Component version

N.A.

wgc version

N.A.

controlplane version

N.A.

router version

0.110.1

What happened?

If possible, please create a PR with a failing test to illustrate the issue clearly. Otherwise, please attach a minimum reproduction through a GitHub repository that includes essential information such as the relevant subgraph SDLs. Please also make sure that the instructions for the reproduction are clear, tested, and fully accurate.

Description

There is an issue with the caching mechanism for Persisted Operations. When a request with a valid Persisted Operation ID (POID) is made, the corresponding query body is correctly loaded from the cache. However, if a subsequent request is made with the same POID but an incorrect or different clientInfo, the cached query body is still passed through, regardless of the mismatched clientInfo. This behavior leads to inaccurate operations being processed based on stale or incorrect client data, potentially causing unintended results in the application's response.

This reported issue is caused by code here: https://github.com/wundergraph/cosmo/blob/router%400.110.1/router/core/operation_processor.go#L317 The load PO from cache is checking only POID. This is different from how the router check on POclient cache here with ClientInfo and the POID: https://github.com/wundergraph/cosmo/blob/router%400.110.1/router/internal/persistedoperation/client.go#L73

Steps to Reproduce

  1. Send a HTTP request with a valid POID. Got a valid response.
  2. Send a HTTP request with the same POID but will different clientInfo. Got a valid response.

Expected Result

  1. Send a HTTP request with a valid POID. Got a valid response.
  2. Send a HTTP request with the same POID but will different clientInfo. When clientInfo is not supported, expect an error.

Environment information

Environment

OS: (e.g., "Ubuntu 20.04") Package Manager: pnpm, npm, yarn, etc Compiler(if manually compiled): (e.g., "go 14.2")

Router configuration

No response

Router execution config

No response

Log output

No response

Additional context

No response

github-actions[bot] commented 6 days ago

WunderGraph commits fully to Open Source and we want to make sure that we can help you as fast as possible. The roadmap is driven by our customers and we have to prioritize issues that are important to them. You can influence the priority by becoming a customer. Please contact us here.

StarpTech commented 6 days ago

Hi @janeli1, thank you for reporting. We will take a look and come back to you soon.