fix(auth-cookie): parse grafserv body and set cookies correctly

- Add cookie-parser middleware to support CSRF double-submit pattern
- Parse GraphQL body from grafserv's getBody() buffer in AuthCookiePlugin
- Set cookies directly on Express response to ensure proper HTTP headers
- Fix NaN maxAge by handling unparseable authSettings values

The AuthCookiePlugin now correctly intercepts auth mutations and sets
session cookies via the Express response, ensuring multiple Set-Cookie
headers are sent separately as required by HTTP spec.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: theothersideofgod

graphql/server/package.json

@@ -80,12 +80,14 @@
   },
   "devDependencies": {
     "@aws-sdk/client-s3": "^3.1009.0",
+    "@types/cookie-parser": "^1.4.10",
     "@types/cors": "^2.8.17",
     "@types/express": "^5.0.6",
     "@types/graphql-upload": "^8.0.12",
     "@types/multer": "^2.1.0",
     "@types/pg": "^8.18.0",
     "@types/request-ip": "^0.0.41",
+    "cookie-parser": "^1.4.7",
     "graphile-test": "workspace:*",
     "makage": "^0.3.0",
     "nodemon": "^3.1.14",

graphql/server/src/middleware/cookie.ts

@@ -22,11 +22,15 @@ export const getSessionCookieConfig = (
   authSettings?: AuthSettings,
   rememberMe = false
 ): CookieConfig => {
-  const maxAge = rememberMe && authSettings?.rememberMeDuration
-    ? parseInt(authSettings.rememberMeDuration, 10)
-    : authSettings?.cookieMaxAge
-      ? parseInt(authSettings.cookieMaxAge, 10)
-      : 86400; // 24 hours default
+  const DEFAULT_MAX_AGE = 86400; // 24 hours
+  let maxAge = DEFAULT_MAX_AGE;
+  if (rememberMe && authSettings?.rememberMeDuration) {
+    const parsed = parseInt(authSettings.rememberMeDuration, 10);
+    if (!isNaN(parsed)) maxAge = parsed;
+  } else if (authSettings?.cookieMaxAge) {
+    const parsed = parseInt(authSettings.cookieMaxAge, 10);
+    if (!isNaN(parsed)) maxAge = parsed;
+  }
 
   return {
     secure: authSettings?.cookieSecure ?? process.env.NODE_ENV === 'production',

graphql/server/src/plugins/auth-cookie-plugin.ts

@@ -220,7 +220,20 @@ export const AuthCookiePlugin: GraphileConfig.Plugin = {
           }
 
           // Get request body for mutation detection
-          const body = req.body as GraphQLRequestBody;
+          // grafserv provides getBody() which returns { type: 'buffer', buffer: Buffer }
+          let body: GraphQLRequestBody | undefined;
+          if (typeof event.requestDigest.getBody === 'function') {
+            try {
+              const rawBody = await event.requestDigest.getBody() as { type?: string; buffer?: Buffer };
+              if (rawBody?.type === 'buffer' && rawBody.buffer) {
+                const jsonStr = rawBody.buffer.toString('utf8');
+                body = JSON.parse(jsonStr) as GraphQLRequestBody;
+              }
+            } catch (e) {
+              log.debug('[auth-cookie] Failed to parse body from requestDigest');
+            }
+          }
+          body = body || (req.body as GraphQLRequestBody);
           if (!body?.query) {
             return result;
           }
@@ -283,24 +296,38 @@ export const AuthCookiePlugin: GraphileConfig.Plugin = {
               }
             }
 
-            // Return modified result with Set-Cookie headers
+            // Set cookies directly on Express response and return modified headers
             if (cookiesToSet.length > 0) {
-              const existingSetCookie = bufferResult.headers['set-cookie'];
-              let newSetCookie: string;
-
-              if (existingSetCookie) {
-                // Append to existing Set-Cookie
-                newSetCookie = `${existingSetCookie}, ${cookiesToSet.join(', ')}`;
-              } else {
-                newSetCookie = cookiesToSet.join(', ');
+              const res = (event.requestDigest.requestContext as { expressv4?: { res?: { setHeader: (name: string, value: string[]) => void; getHeader: (name: string) => string | string[] | undefined } } })?.expressv4?.res;
+
+              if (res?.setHeader) {
+                // Get existing Set-Cookie headers from Express response
+                const existingCookies = res.getHeader('Set-Cookie');
+                const allCookies: string[] = [];
+
+                if (existingCookies) {
+                  if (Array.isArray(existingCookies)) {
+                    allCookies.push(...existingCookies);
+                  } else {
+                    allCookies.push(existingCookies);
+                  }
+                }
+                allCookies.push(...cookiesToSet);
+
+                // Set as array to get multiple Set-Cookie headers
+                res.setHeader('Set-Cookie', allCookies);
               }
 
+              // Also update the BufferResult headers for grafserv to pass through
+              const existingBufferCookie = bufferResult.headers['set-cookie'];
+              const updatedHeaders = { ...bufferResult.headers };
+
+              // Remove set-cookie from grafserv headers since we set it on Express
+              delete updatedHeaders['set-cookie'];
+
               return {
                 ...bufferResult,
-                headers: {
-                  ...bufferResult.headers,
-                  'set-cookie': newSetCookie,
-                },
+                headers: updatedHeaders,
               };
             }
           } catch (err) {

graphql/server/src/server.ts

@@ -5,6 +5,7 @@ import { Logger } from '@pgpmjs/logger';
 import { healthz, poweredBy, svcCache, trustProxy } from '@pgpmjs/server-utils';
 import { PgpmOptions } from '@pgpmjs/types';
 import { middleware as parseDomains } from '@constructive-io/url-domains';
+import cookieParser from 'cookie-parser';
 import express, { Express, NextFunction, Request, RequestHandler, Response } from 'express';
 import type { Server as HttpServer } from 'http';
 import graphqlUpload from 'graphql-upload';
@@ -148,6 +149,7 @@ class Server {
     }
 
     app.use(poweredBy('constructive'));
+    app.use(cookieParser());
     app.use(cors(fallbackOrigin));
     app.use('/graphql', graphqlUpload.graphqlUploadExpress({
       maxFileSize: 10 * 1024 * 1024, // 10 MB