Skip to content

fix: prevent authenticated GraphQL responses from being cached by CDNs#4867

Open
sashor wants to merge 1 commit into
coralproject:developfrom
sashor:fix/graphql-authenticated-cache-headers
Open

fix: prevent authenticated GraphQL responses from being cached by CDNs#4867
sashor wants to merge 1 commit into
coralproject:developfrom
sashor:fix/graphql-authenticated-cache-headers

Conversation

@sashor

@sashor sashor commented Apr 23, 2026

Copy link
Copy Markdown

What does this PR do?

Fixes #4856

When Coral is deployed behind a CDN or reverse proxy with shared caching enabled,
authenticated GraphQL responses may be served across users (e.g. viewerReactionPresence
from one user served to another).

This PR adds a new Apollo Server plugin (CacheControlApolloServerPlugin) that:

  • Sets Vary: Authorization on all GraphQL responses so caches key responses
    separately for authenticated vs unauthenticated requests
  • Sets Cache-Control: private, no-store on authenticated responses so shared
    caches never store user-specific data

These changes will impact:

  • commenters
  • moderators
  • admins
  • developers

What changes to the GraphQL/Database Schema does this PR introduce?

None.

Does this PR introduce any new environment variables or feature flags?

No.

If any indexes were added, were they added to INDEXES.md?

No indexes were added.

How do I test this PR?

  1. Run Coral locally and sign in as a user
  2. Open DevTools → Network → filter graphql
  3. Click any GraphQL request → Response Headers
  4. Verify Cache-Control: private, no-store and Vary: Authorization are present
  5. Sign out and repeat — unauthenticated responses should only have Vary: Authorization

Were any tests migrated to React Testing Library?

No.

How do we deploy this PR?

No special deployment steps required.

Adds CacheControlApolloServerPlugin that sets:
- Vary: Authorization on all GraphQL responses
- Cache-Control: private, no-store on authenticated responses

This prevents CDNs and reverse proxies from serving one user's cached
data to another user.

Fixes coralproject#4856
@netlify

netlify Bot commented Apr 23, 2026

Copy link
Copy Markdown

Deploy Preview for gallant-galileo-14878c canceled.

Name Link
🔨 Latest commit 80ca0d0
🔍 Latest deploy log https://app.netlify.com/projects/gallant-galileo-14878c/deploys/69e9ea66aa0add00082b1198

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Authenticated GraphQL responses may be cached across users when behind a CDN

1 participant