From 1d4ce0034395147445165022f7d23f42ff638d8a Mon Sep 17 00:00:00 2001 From: Jerel Miller Date: Fri, 8 Nov 2024 12:11:42 -0700 Subject: [PATCH] [Data masking] Ensure deferred payloads are properly masked (#12114) --- .changeset/nervous-owls-hear.md | 5 + .size-limits.json | 4 +- src/__tests__/dataMasking.ts | 517 ++++++++++++++++++++++++++--- src/core/masking.ts | 8 +- src/utilities/graphql/transform.ts | 8 + 5 files changed, 484 insertions(+), 58 deletions(-) create mode 100644 .changeset/nervous-owls-hear.md diff --git a/.changeset/nervous-owls-hear.md b/.changeset/nervous-owls-hear.md new file mode 100644 index 00000000000..760fc8c2c0f --- /dev/null +++ b/.changeset/nervous-owls-hear.md @@ -0,0 +1,5 @@ +--- +"@apollo/client": patch +--- + +Fix error when combining `@unmask` and `@defer` directives on a fragment spread when data masking is enabled. diff --git a/.size-limits.json b/.size-limits.json index 3e3a358df08..1a3c2258651 100644 --- a/.size-limits.json +++ b/.size-limits.json @@ -1,4 +1,4 @@ { - "dist/apollo-client.min.cjs": 41459, - "import { ApolloClient, InMemoryCache, HttpLink } from \"dist/index.js\" (production)": 34213 + "dist/apollo-client.min.cjs": 41506, + "import { ApolloClient, InMemoryCache, HttpLink } from \"dist/index.js\" (production)": 34257 } diff --git a/src/__tests__/dataMasking.ts b/src/__tests__/dataMasking.ts index 44470aa14f8..f8bcd12ceb0 100644 --- a/src/__tests__/dataMasking.ts +++ b/src/__tests__/dataMasking.ts @@ -1848,6 +1848,408 @@ describe("client.watchQuery", () => { new Error("Timeout waiting for next event") ); }); + + test("masks deferred fragments", async () => { + type GreetingFragment = { + recipient: { + name: string; + }; + } & { " $fragmentName"?: "GreetingFragment" }; + + interface Query { + greeting: { + __typename: "Greeting"; + message: string; + } & { " $fragmentRefs"?: { GreetingFragment: GreetingFragment } }; + } + + const fragment: MaskedDocumentNode = gql` + fragment GreetingFragment on Greeting { + recipient { + name + } + } + `; + + const query: MaskedDocumentNode = gql` + query { + greeting { + message + ...GreetingFragment @defer + } + } + + ${fragment} + `; + + const link = new MockSubscriptionLink(); + const client = new ApolloClient({ + dataMasking: true, + cache: new InMemoryCache(), + link, + }); + + const observable = client.watchQuery({ query, variables: { id: 1 } }); + const stream = new ObservableStream(observable); + + link.simulateResult({ + result: { + data: { greeting: { message: "Hello world", __typename: "Greeting" } }, + hasNext: true, + }, + }); + + { + const { data } = await stream.takeNext(); + + expect(data).toEqual({ + greeting: { message: "Hello world", __typename: "Greeting" }, + }); + } + + link.simulateResult({ + result: { + incremental: [ + { + data: { + recipient: { name: "Alice", __typename: "Person" }, + __typename: "Greeting", + }, + path: ["greeting"], + }, + ], + hasNext: false, + }, + }); + + // Since the fragment data is masked, we don't expect to get another result + await expect(stream.takeNext()).rejects.toThrow( + new Error("Timeout waiting for next event") + ); + + expect(client.readQuery({ query })).toEqual({ + greeting: { + message: "Hello world", + __typename: "Greeting", + recipient: { __typename: "Person", name: "Alice" }, + }, + }); + }); + + test("masks deferred fragments within inline fragments", async () => { + type GreetingFragment = { + recipient: { + name: string; + }; + } & { " $fragmentName"?: "GreetingFragment" }; + + interface Query { + greeting: { + __typename: "Greeting"; + message: string; + } & { " $fragmentRefs"?: { GreetingFragment: GreetingFragment } }; + } + + const fragment: MaskedDocumentNode = gql` + fragment GreetingFragment on Greeting { + recipient { + name + } + } + `; + + const query: MaskedDocumentNode = gql` + query { + greeting { + message + ... @defer { + sentAt + ...GreetingFragment + } + } + } + + ${fragment} + `; + + const link = new MockSubscriptionLink(); + const client = new ApolloClient({ + dataMasking: true, + cache: new InMemoryCache(), + link, + }); + + const observable = client.watchQuery({ query, variables: { id: 1 } }); + const stream = new ObservableStream(observable); + + link.simulateResult({ + result: { + data: { greeting: { message: "Hello world", __typename: "Greeting" } }, + hasNext: true, + }, + }); + + { + const { data } = await stream.takeNext(); + + expect(data).toEqual({ + greeting: { message: "Hello world", __typename: "Greeting" }, + }); + } + + link.simulateResult({ + result: { + incremental: [ + { + data: { + sentAt: "2024-01-01", + recipient: { name: "Alice", __typename: "Person" }, + __typename: "Greeting", + }, + path: ["greeting"], + }, + ], + hasNext: false, + }, + }); + + { + const { data } = await stream.takeNext(); + + expect(data).toEqual({ + greeting: { + __typename: "Greeting", + message: "Hello world", + sentAt: "2024-01-01", + }, + }); + } + + expect(client.readQuery({ query })).toEqual({ + greeting: { + __typename: "Greeting", + message: "Hello world", + sentAt: "2024-01-01", + recipient: { __typename: "Person", name: "Alice" }, + }, + }); + }); + + test("does not mask deferred fragments marked with @unmask", async () => { + type GreetingFragment = { + recipient: { + name: string; + }; + } & { " $fragmentName"?: "GreetingFragment" }; + + interface Query { + greeting: { + __typename: "Greeting"; + message: string; + recipient: { + __typename: "Person"; + name: string; + }; + } & { " $fragmentRefs"?: { GreetingFragment: GreetingFragment } }; + } + + const fragment: MaskedDocumentNode = gql` + fragment GreetingFragment on Greeting { + recipient { + name + } + } + `; + + const query: MaskedDocumentNode = gql` + query { + greeting { + message + ...GreetingFragment @defer @unmask + } + } + + ${fragment} + `; + + const link = new MockSubscriptionLink(); + const client = new ApolloClient({ + dataMasking: true, + cache: new InMemoryCache(), + link, + }); + + const observable = client.watchQuery({ query, variables: { id: 1 } }); + const stream = new ObservableStream(observable); + + link.simulateResult({ + result: { + data: { greeting: { message: "Hello world", __typename: "Greeting" } }, + hasNext: true, + }, + }); + + { + const { data } = await stream.takeNext(); + + expect(data).toEqual({ + greeting: { message: "Hello world", __typename: "Greeting" }, + }); + } + + link.simulateResult( + { + result: { + incremental: [ + { + data: { + recipient: { name: "Alice", __typename: "Person" }, + __typename: "Greeting", + }, + path: ["greeting"], + }, + ], + hasNext: false, + }, + }, + true + ); + + { + const { data } = await stream.takeNext(); + + expect(data).toEqual({ + greeting: { + __typename: "Greeting", + message: "Hello world", + recipient: { __typename: "Person", name: "Alice" }, + }, + }); + } + + expect(client.readQuery({ query })).toEqual({ + greeting: { + __typename: "Greeting", + message: "Hello world", + recipient: { __typename: "Person", name: "Alice" }, + }, + }); + }); + + test("handles deferred fragments with a mix of masked and unmasked", async () => { + type GreetingFragment = { + recipient: { + name: string; + }; + } & { " $fragmentName"?: "GreetingFragment" }; + + type TimeFieldsFragment = { + sentAt: string; + } & { " $fragmentName"?: "TimeFieldsFragment" }; + + interface Query { + greeting: { + __typename: "Greeting"; + message: string; + recipient: { + __typename: "Person"; + name: string; + }; + } & { + " $fragmentRefs"?: { + GreetingFragment: GreetingFragment; + TimeFieldsFragment: TimeFieldsFragment; + }; + }; + } + + const query: MaskedDocumentNode = gql` + query { + greeting { + message + ... @defer { + ...GreetingFragment @unmask + ...TimeFieldsFragment + } + } + } + + fragment GreetingFragment on Greeting { + recipient { + name + } + } + + fragment TimeFieldsFragment on Greeting { + sentAt + } + `; + + const link = new MockSubscriptionLink(); + const client = new ApolloClient({ + dataMasking: true, + cache: new InMemoryCache(), + link, + }); + + const observable = client.watchQuery({ query, variables: { id: 1 } }); + const stream = new ObservableStream(observable); + + link.simulateResult({ + result: { + data: { greeting: { message: "Hello world", __typename: "Greeting" } }, + hasNext: true, + }, + }); + + { + const { data } = await stream.takeNext(); + + expect(data).toEqual({ + greeting: { message: "Hello world", __typename: "Greeting" }, + }); + } + + link.simulateResult( + { + result: { + incremental: [ + { + data: { + sentAt: "2024-01-01", + recipient: { name: "Alice", __typename: "Person" }, + __typename: "Greeting", + }, + path: ["greeting"], + }, + ], + hasNext: false, + }, + }, + true + ); + + { + const { data } = await stream.takeNext(); + + expect(data).toEqual({ + greeting: { + __typename: "Greeting", + message: "Hello world", + recipient: { __typename: "Person", name: "Alice" }, + }, + }); + } + + expect(client.readQuery({ query })).toEqual({ + greeting: { + __typename: "Greeting", + message: "Hello world", + sentAt: "2024-01-01", + recipient: { __typename: "Person", name: "Alice" }, + }, + }); + }); }); describe("client.watchFragment", () => { @@ -2710,72 +3112,79 @@ describe("client.watchFragment", () => { }); }); - test("warns when accessing an unmasked field on a watched fragment while using @unmask with mode: 'migrate'", async () => { - using consoleSpy = spyOnConsole("warn"); + // FIXME: This broke with the changes in https://github.com/apollographql/apollo-client/pull/12114 + // which ensure masking works with deferred payloads. Instead of fixing with + // #12114, it will be fixed with https://github.com/apollographql/apollo-client/issues/12043 + // which will fix overagressive warnings. + test.failing( + "warns when accessing an unmasked field on a watched fragment while using @unmask with mode: 'migrate'", + async () => { + using consoleSpy = spyOnConsole("warn"); - type ProfileFieldsFragment = { - __typename: "User"; - age: number; - name: string; - } & { " $fragmentName": "UserFieldsFragment" }; + type ProfileFieldsFragment = { + __typename: "User"; + age: number; + name: string; + } & { " $fragmentName": "UserFieldsFragment" }; - type UserFieldsFragment = { - __typename: "User"; - id: number; - name: string; - /** @deprecated */ - age: number; - } & { " $fragmentName": "UserFieldsFragment" } & { - " $fragmentRefs": { ProfileFieldsFragment: ProfileFieldsFragment }; - }; + type UserFieldsFragment = { + __typename: "User"; + id: number; + name: string; + /** @deprecated */ + age: number; + } & { " $fragmentName": "UserFieldsFragment" } & { + " $fragmentRefs": { ProfileFieldsFragment: ProfileFieldsFragment }; + }; - const fragment: MaskedDocumentNode = gql` - fragment UserFields on User { - id - name - ...ProfileFields @unmask(mode: "migrate") - } + const fragment: MaskedDocumentNode = gql` + fragment UserFields on User { + id + name + ...ProfileFields @unmask(mode: "migrate") + } - fragment ProfileFields on User { - age - name - } - `; + fragment ProfileFields on User { + age + name + } + `; - const client = new ApolloClient({ - dataMasking: true, - cache: new InMemoryCache(), - }); + const client = new ApolloClient({ + dataMasking: true, + cache: new InMemoryCache(), + }); - const observable = client.watchFragment({ - fragment, - fragmentName: "UserFields", - from: { __typename: "User", id: 1 }, - }); - const stream = new ObservableStream(observable); + const observable = client.watchFragment({ + fragment, + fragmentName: "UserFields", + from: { __typename: "User", id: 1 }, + }); + const stream = new ObservableStream(observable); - { - const { data } = await stream.takeNext(); - data.__typename; - data.id; - data.name; + { + const { data } = await stream.takeNext(); + data.__typename; + data.id; + data.name; - expect(consoleSpy.warn).not.toHaveBeenCalled(); + expect(consoleSpy.warn).not.toHaveBeenCalled(); - data.age; + data.age; - expect(consoleSpy.warn).toHaveBeenCalledTimes(1); - expect(consoleSpy.warn).toHaveBeenCalledWith( - "Accessing unmasked field on %s at path '%s'. This field will not be available when masking is enabled. Please read the field from the fragment instead.", - "fragment 'UserFields'", - "age" - ); + expect(consoleSpy.warn).toHaveBeenCalledTimes(1); + expect(consoleSpy.warn).toHaveBeenCalledWith( + "Accessing unmasked field on %s at path '%s'. This field will not be available when masking is enabled. Please read the field from the fragment instead.", + "fragment 'UserFields'", + "age" + ); - // Ensure we only warn once - data.age; - expect(consoleSpy.warn).toHaveBeenCalledTimes(1); + // Ensure we only warn once + data.age; + expect(consoleSpy.warn).toHaveBeenCalledTimes(1); + } } - }); + ); test("can lookup unmasked fragments from the fragment registry in watched fragments", async () => { const fragments = createFragmentRegistry(); diff --git a/src/core/masking.ts b/src/core/masking.ts index 8e136eacbc2..3991940a23c 100644 --- a/src/core/masking.ts +++ b/src/core/masking.ts @@ -169,7 +169,11 @@ function maskSelectionSet( memo[keyName] = data[keyName]; - if (childSelectionSet && data[keyName] !== null) { + if (memo[keyName] === void 0) { + delete memo[keyName]; + } + + if (keyName in memo && childSelectionSet && data[keyName] !== null) { const [masked, childChanged] = maskSelectionSet( data[keyName], childSelectionSet, @@ -261,7 +265,7 @@ function maskSelectionSet( [Object.create(null), false] ); - if ("__typename" in data && !("__typename" in result[0])) { + if (data && "__typename" in data && !("__typename" in result[0])) { result[0].__typename = data.__typename; } diff --git a/src/utilities/graphql/transform.ts b/src/utilities/graphql/transform.ts index f6e8b7e1c55..c89ce1118c5 100644 --- a/src/utilities/graphql/transform.ts +++ b/src/utilities/graphql/transform.ts @@ -722,6 +722,14 @@ export function addNonReactiveToNamedFragments(document: DocumentNode) { return visit(document, { FragmentSpread: (node) => { + // Do not add `@nonreactive` if the fragment is marked with `@unmask` + // since we want to react to changes in this fragment. + if ( + node.directives?.some((directive) => directive.name.value === "unmask") + ) { + return; + } + return { ...node, directives: [