Skip to content

feat(graphql-server): Cookie Lifecycle & CSRF Enforcement#1041

Open
theothersideofgod wants to merge 9 commits intomainfrom
feat/server-auth-cookie-csrf
Open

feat(graphql-server): Cookie Lifecycle & CSRF Enforcement#1041
theothersideofgod wants to merge 9 commits intomainfrom
feat/server-auth-cookie-csrf

Conversation

@theothersideofgod
Copy link
Copy Markdown
Contributor

@theothersideofgod theothersideofgod commented Apr 30, 2026
edited
Loading

Summary

Implements server-side cookie management for authentication flows, addressing #749.

  • Session cookies: Automatically set constructive_session cookie on successful auth mutations (signIn, signUp, SSO, MFA, etc.)
  • Sign out: Clear both session and device token cookies on signOut/revokeSession/revokeAllSessions
  • CSRF protection: Integrated with existing CSRF middleware, preserves CSRF token cookies
  • Multi-tenant support: Works correctly with both main database and tenant databases

Why grafserv Plugin Instead of Express Middleware?

Initially attempted to implement this using Express middleware, but encountered architectural limitations:

Express middleware approach (doesn't work):

// Attempted to intercept res.json() to set cookies
const originalJson = res.json.bind(res);
res.json = (body) => {
  if (body?.data?.signIn?.accessToken) {
    res.cookie('constructive_session', body.data.signIn.accessToken);
  }
  return originalJson(body);
};

The problem: PostGraphile v5 (grafserv) uses streaming responses. The response is serialized to a buffer internally by grafserv and written directly to the stream — it never passes through res.json(). Express middleware cannot intercept this.

grafserv plugin approach (correct solution):

grafserv: {
  middleware: {
    async processRequest(next, event) {
      const result = await next();  // Get complete response
      // Parse buffer, extract accessToken, set cookies
      return { ...result, headers: { 'set-cookie': [...] } };
    }
  }
}

This allows us to modify headers before grafserv sends the response, correctly setting cookies at the right layer.

Key Changes

New Files

  • graphql/server/src/plugins/auth-cookie-plugin.ts - grafserv plugin for cookie lifecycle
  • graphql/server/src/plugins/__tests__/auth-cookie-plugin.test.ts - 25 unit tests

Modified Files

  • graphql/server/src/middleware/graphile.ts - Wire AuthCookiePreset into PostGraphile
  • graphql/server/src/middleware/cookie.ts - Fix rememberMe duration logic
  • graphql/server/src/server.ts - Remove old Express middleware

Removed Files

  • graphql/server/src/middleware/auth-cookie.ts - Old Express middleware (didn't work with grafserv streaming)
  • graphql/server/src/middleware/__tests__/auth-cookie.test.ts - Old tests

Cookie Behavior

Mutation Action
signIn, signUp, signInSso, signUpSso, signInMagicLink, signUpMagicLink, signInEmailOtp, signInSmsOtp, signUpSms, signInOneTimeToken, signInCrossOrigin, completeMfaChallenge, refreshToken Set constructive_session cookie (+ constructive_device_token if returned)
signOut, revokeSession, revokeAllSessions Clear both cookies

Cookie Attributes

  • HttpOnly: true (XSS protection)
  • SameSite: Lax (CSRF protection)
  • Path: /
  • MaxAge: 1 hour default, 30 days with rememberMe: true

Test Plan

  • Unit tests: 45 tests passing (25 plugin + 11 CSRF + 9 cookie)
  • Integration test: Main database (api.localhost:3000)
  • Integration test: Tenant database (auth-xxx.localhost:3000)
  • Verify CSRF token preserved alongside session cookie
  • Verify signOut clears both session and device cookies

Related

Closes #749

🤖 Generated with Claude Code

theothersideofgod and others added 9 commits April 30, 2026 17:13
@theothersideofgod @claude
feat(graphql-server): add AuthSettings type and cookie helpers
2c3a4f8 
- Add AuthSettings interface for cookie configuration
- Add cookie.ts with session/device cookie helpers:
  - buildCookieOptions() - builds Express cookie options from settings
  - setSessionCookie() / clearSessionCookie()
  - setDeviceTokenCookie() / clearDeviceTokenCookie()
- Support rememberMe for extended session duration
- Parse PostgreSQL interval format for durations

Refs: constructive-io/constructive-planning#749

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@theothersideofgod @claude
feat(graphql-server): add auth-cookie middleware for session management
bee4d51 
- Intercept auth mutation responses (signIn, signUp, signOut, etc.)
- Set constructive_session cookie on successful authentication
- Clear session cookie on signOut/revokeSession
- Set constructive_device_token cookie for device tracking
- Support rememberMe from mutation input variables

Refs: constructive-io/constructive-planning#749

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@theothersideofgod @claude
feat(graphql-server): load AuthSettings from tenant database
5370ec2 
- Add sessions_module query to get auth_settings table location
- Add queryAuthSettings() to fetch settings from tenant DB
- Update toApiStructure() to include authSettings
- Load auth settings in parallel with RLS module

Refs: constructive-io/constructive-planning#749

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@theothersideofgod @claude
feat(graphql-server): wire CSRF and auth-cookie middleware
acadf84 
- Add cookie-parser and @constructive-io/csrf dependencies
- Add CSRF middleware with double-submit cookie pattern
- Skip CSRF check for Bearer token authentication
- Add auth-cookie middleware to intercept responses
- Add CSRF error codes to SAFE_ERROR_CODES allowlist

Refs: constructive-io/constructive-planning#749

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@theothersideofgod @claude
test(graphql-server): add cookie and auth-cookie unit tests
b1249fc 
- Add cookie.test.ts with 9 tests for cookie helpers
- Add auth-cookie.test.ts with 13 tests for middleware
- Test session cookie set/clear on auth mutations
- Test device token cookie handling
- Test rememberMe duration extension

Refs: constructive-io/constructive-planning#749

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@theothersideofgod @claude
test(graphql-server): add CSRF middleware unit tests
cf1560b 
- Test Bearer token authentication skips CSRF
- Test GET/HEAD/OPTIONS requests skip CSRF
- Test anonymous requests (no session cookie) skip CSRF
- Test cookie-authenticated requests require valid CSRF token
- Test CSRF token validation (missing, invalid, valid)
- Test CSRF token from header and body

Refs: constructive-io/constructive-planning#749

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@theothersideofgod @claude
fix(types): add enableCaptcha to AuthSettings interface
1e563b1 
The captcha middleware references this property, so it needs to be
included in the AuthSettings type definition.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@theothersideofgod @claude
refactor(graphql-server): replace auth-cookie middleware with grafser…
2123e58 
…v plugin

- Replace Express middleware with grafserv processRequest plugin
- Fix cookie handling for grafserv streaming responses (buffer parsing)
- Handle multiple Set-Cookie headers correctly (array format)
- Preserve CSRF cookies when setting session cookies
- Fix rememberMe cookie duration logic
- Remove old middleware and tests (will add plugin tests separately)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@theothersideofgod @claude
test(graphql-server): add AuthCookiePlugin unit tests
8b29938 
- Test preset structure and plugin metadata
- Test session cookie on auth mutations (signIn, signUp, etc.)
- Test cookie clearing on sign out mutations
- Test device token cookie handling
- Test CSRF cookie preservation
- Test buffer and JSON response handling
- Test mutation detection regex patterns

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@theothersideofgod theothersideofgod force-pushed the feat/server-auth-cookie-csrf branch from 7263419 to 8b29938 Compare April 30, 2026 09:14
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 30, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​pgpm/​metaschema-schema@​0.18.0511009394100
Added@​pgpm/​metaschema-modules@​0.21.1511009396100
Added@​pgpm/​database-jobs@​0.18.0511009396100
Added@​pgpm/​inflection@​0.18.0511009396100
Added@​pgpm/​types@​0.18.0511009396100
Added@​pgpm/​verify@​0.18.0511009396100
Added@​launchql/​styled-email@​0.1.0691006375100
Added@​pgpm/​services@​0.18.0721006594100
Added@​jest/​test-sequencer@​30.3.01001006792100
Added@​launchql/​mjml@​0.1.1731006875100
Added@​types/​babel__generator@​7.27.01001007280100
Added@​inquirerer/​utils@​3.3.57310010092100
Added@​agentic-kit/​ollama@​1.0.37310010088100
Added@​inquirerer/​test@​1.3.57610010094100
Added@​dataplan/​json@​1.0.0931007788100
Added@​0no-co/​graphql.web@​1.2.01001009583100
Added@​dataplan/​pg@​1.0.0901008494100
Added@​aws-sdk/​lib-storage@​3.1009.01001008598100
Added@​testing-library/​react@​11.2.510010010087100
Added@​tanstack/​react-query@​5.90.219910088100100
Added@​testing-library/​jest-dom@​5.11.1010010010089100
Added@​pgsql/​traverse@​17.2.59210010089100
Added@​graphile/​simplify-inflection@​8.0.08910010093100
Added@​graphile-contrib/​pg-many-to-many@​2.0.0-rc.29210010092100
Added@​pgsql/​utils@​17.8.159310010095100
Added@​aws-sdk/​client-s3@​3.1009.09810010098100
Added@​aws-sdk/​s3-request-presigner@​3.1017.010010010098100
Added@​playwright/​test@​1.58.210010010099100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theothersideofgod