fix: extractCookie from GraphiQLHeader (redwoodjs#6894)

zaiyou12 · Nov 17, 2022 · f1d67a5 · f1d67a5
1 parent da8710f
commit f1d67a5
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 5 deletions.
diff --git a/packages/auth-providers-api/src/dbAuth/__tests__/DbAuthHandler.test.js b/packages/auth-providers-api/src/dbAuth/__tests__/DbAuthHandler.test.js
@@ -1512,6 +1512,36 @@ describe('dbAuth', () => {
     })
   })
 
+  describe('graphiqlHeader', () => {
+    it('returns graphiqlHeader immediately when it recognized', async () => {
+      // graphiQL header only called in dev
+      process.env.NODE_ENV = 'development'
+
+      // setup graphiQL header
+      const dbUser = await createDbUser()
+      event.body = JSON.stringify({
+        extensions: {
+          headers: {
+            'auth-provider': 'dbAuth',
+            cookie: encryptToCookie(
+              JSON.stringify({ id: dbUser.id }) + ';' + 'token'
+            ),
+            authorization: 'Bearer ' + dbUser.id,
+          },
+        },
+      })
+      // create header in usual way
+      event.headers.cookie = encryptToCookie(
+        JSON.stringify({ id: 9999999999 }) + ';' + 'token'
+      )
+
+      // should read session from grphiQL header, not from cookie
+      const dbAuth = new DbAuthHandler(event, context, options)
+      const user = await dbAuth._getCurrentUser()
+      expect(user.id).toEqual(dbUser.id)
+    })
+  })
+
   describe('webAuthnAuthenticate', () => {
     it('throws an error if WebAuthn options are not defined', async () => {
       event = {

diff --git a/packages/auth-providers-api/src/dbAuth/shared.ts b/packages/auth-providers-api/src/dbAuth/shared.ts
@@ -7,18 +7,16 @@ import * as DbAuthError from './errors'
 // names.
 // Checks for cookie in headers in dev when user has generated graphiql headers
 export const extractCookie = (event: APIGatewayProxyEvent) => {
-  let cookieFromGraphiqlHeader
   if (process.env.NODE_ENV === 'development') {
     try {
-      cookieFromGraphiqlHeader = JSON.parse(event.body ?? '{}').extensions
+      const cookieFromGraphiqlHeader = JSON.parse(event.body ?? '{}').extensions
         ?.headers?.cookie
+      return cookieFromGraphiqlHeader
     } catch (e) {
       return event.headers.cookie || event.headers.Cookie
     }
   }
-  return (
-    event.headers.cookie || event.headers.Cookie || cookieFromGraphiqlHeader
-  )
+  return event.headers.cookie || event.headers.Cookie
 }
 
 // decrypts the session cookie and returns an array: [data, csrf]