Merge branch 'main' into main

playground/CHANGELOG.md

@@ -4,6 +4,12 @@ Binaries are attached to the github release otherwise all images can be found [h
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [0.2.1](https://github.com/wundergraph/cosmo/compare/@wundergraph/[email protected]...@wundergraph/[email protected]) (2024-08-15)
+
+### Bug Fixes
+
+* polyfill crypto.randomUUID for localhost ([#1086](https://github.com/wundergraph/cosmo/issues/1086)) ([1a7776b](https://github.com/wundergraph/cosmo/commit/1a7776b1c1b2cfdf4095cf8046fe5f97bb641fe1)) (@StarpTech)
+
 # [0.2.0](https://github.com/wundergraph/cosmo/compare/@wundergraph/[email protected]...@wundergraph/[email protected]) (2024-08-09)
 
 ### Features

playground/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wundergraph/playground",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Cosmo Playground built on top of graphiql",
   "author": {
     "name": "WunderGraph Maintainers",

playground/src/App.tsx

@@ -1,3 +1,4 @@
+import '@/lib/random-uuid'; // Polyfill
 import { Playground } from './components/playground';
 
 export default function App() {

playground/src/lib/random-uuid.ts

@@ -0,0 +1,15 @@
+// Polyfill for crypto.randomUUID
+// crypto.randomUUID() is now standard on all modern browsers and JS runtimes.
+// However, because new browser APIs are restricted to secure contexts,
+// this method is only available to pages served locally (localhost or 127.0.0.1) or over HTTPS.
+// This polyfill is a fallback for when crypto.randomUUID is not available.
+// https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues
+if (!('randomUUID' in crypto)) {
+  // https://stackoverflow.com/a/2117523/2800218
+  // @ts-ignore-next-line
+  crypto.randomUUID = (): string => {
+    return '10000000-1000-4000-8000-100000000000'.replace(/[018]/g, (c) =>
+      (+c ^ (crypto.getRandomValues(new Uint8Array(1))[0] & (15 >> (+c / 4)))).toString(16),
+    );
+  };
+}

router/CHANGELOG.md

@@ -4,6 +4,19 @@ Binaries are attached to the github release otherwise all images can be found [h
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [0.105.2](https://github.com/wundergraph/cosmo/compare/[email protected]@0.105.2) (2024-08-16)
+
+### Bug Fixes
+
+* don't propagate client content negotiation headers with wildcard ([#1089](https://github.com/wundergraph/cosmo/issues/1089)) ([2e7d8d2](https://github.com/wundergraph/cosmo/commit/2e7d8d27d7fdaf0cc66cfb65ff3a8012fe083679)) (@StarpTech)
+* dont initialize persisted operation client when disabled ([#1083](https://github.com/wundergraph/cosmo/issues/1083)) ([b483053](https://github.com/wundergraph/cosmo/commit/b483053d9be976895863aea1af90e01670731ba6)) (@flymedllva)
+
+## [0.105.1](https://github.com/wundergraph/cosmo/compare/[email protected]@0.105.1) (2024-08-15)
+
+### Bug Fixes
+
+* polyfill crypto.randomUUID for localhost ([#1086](https://github.com/wundergraph/cosmo/issues/1086)) ([1a7776b](https://github.com/wundergraph/cosmo/commit/1a7776b1c1b2cfdf4095cf8046fe5f97bb641fe1)) (@StarpTech)
+
 # [0.105.0](https://github.com/wundergraph/cosmo/compare/[email protected]@0.105.0) (2024-08-15)
 
 ### Features

router/core/header_rule_engine.go

@@ -4,24 +4,36 @@ import (
 	"fmt"
 	"net/http"
 	"regexp"
+	"slices"
 
 	"github.com/wundergraph/cosmo/router/pkg/config"
 
 	nodev1 "github.com/wundergraph/cosmo/router/gen/proto/wg/cosmo/node/v1"
 )
 
 var (
-	_          EnginePreOriginHandler = (*HeaderRuleEngine)(nil)
-	hopHeaders                        = []string{
+	_              EnginePreOriginHandler = (*HeaderRuleEngine)(nil)
+	ignoredHeaders                        = []string{
+		"Alt-Svc",
 		"Connection",
 		"Proxy-Connection", // non-standard but still sent by libcurl and rejected by e.g. google
+
+		// Hop-by-hop headers
+		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Connection
 		"Keep-Alive",
 		"Proxy-Authenticate",
 		"Proxy-Authorization",
 		"Te",      // canonicalized version of "TE"
 		"Trailer", // not Trailers per URL above; https://www.rfc-editor.org/errata_search.php?eid=4522
 		"Transfer-Encoding",
 		"Upgrade",
+
+		// Content Negotiation. We must never propagate the client headers to the upstream
+		// The router has to decide on its own what to send to the upstream
+		"Content-Type",
+		"Accept-Encoding",
+		"Accept-Charset",
+		"Accept",
 	}
 )
 
@@ -75,10 +87,18 @@ func (h HeaderRuleEngine) OnOriginRequest(request *http.Request, ctx RequestCont
 	}
 
 	for _, rule := range requestRules {
-		// Forwards the matching client request header to the upstream
 		if rule.Operation == config.HeaderRuleOperationPropagate {
-			// Rename the header when name is provided
+
+			/**
+			 *	Rename the header before propagating and delete the original
+			 */
+
 			if rule.Rename != "" && rule.Named != "" {
+				// Ignore the rule when the target header is in the ignored list
+				if slices.Contains(ignoredHeaders, rule.Rename) {
+					continue
+				}
+
 				value := ctx.Request().Header.Get(rule.Named)
 				if value != "" {
 					request.Header.Set(rule.Rename, ctx.Request().Header.Get(rule.Named))
@@ -89,31 +109,48 @@ func (h HeaderRuleEngine) OnOriginRequest(request *http.Request, ctx RequestCont
 					request.Header.Del(rule.Named)
 					continue
 				}
+
+				continue
 			}
 
-			// Exact match
+			/**
+			 *	Propagate the header as is
+			 */
+
 			if rule.Named != "" {
+				if slices.Contains(ignoredHeaders, rule.Named) {
+					continue
+				}
+
 				value := ctx.Request().Header.Get(rule.Named)
 				if value != "" {
 					request.Header.Set(rule.Named, ctx.Request().Header.Get(rule.Named))
 				} else if rule.Default != "" {
 					request.Header.Set(rule.Named, rule.Default)
 				}
+
 				continue
 			}
 
-			// Regex match
+			/**
+			 * Matching based on regex
+			 */
+
 			if regex, ok := h.regex[rule.Matching]; ok {
 				for name := range ctx.Request().Header {
-					// Skip hop-by-hop headers and connection headers
-					if contains(hopHeaders, name) {
-						continue
-					}
 					// Headers are case-insensitive, but Go canonicalize them
 					// Issue: https://github.com/golang/go/issues/37834
 					if regex.MatchString(name) {
-						// Rename the header when matiching is provided
+
+						/**
+						 *	Rename the header before propagating and delete the original
+						 */
 						if rule.Rename != "" && rule.Named == "" {
+
+							if slices.Contains(ignoredHeaders, rule.Rename) {
+								continue
+							}
+
 							value := ctx.Request().Header.Get(name)
 							if value != "" {
 								request.Header.Set(rule.Rename, ctx.Request().Header.Get(name))
@@ -122,28 +159,26 @@ func (h HeaderRuleEngine) OnOriginRequest(request *http.Request, ctx RequestCont
 								request.Header.Set(rule.Rename, rule.Default)
 								request.Header.Del(name)
 							}
-						} else {
-							request.Header.Set(name, ctx.Request().Header.Get(name))
+
+							continue
 						}
+
+						/**
+						 *	Propagate the header as is
+						 */
+						if slices.Contains(ignoredHeaders, name) {
+							continue
+						}
+						request.Header.Set(name, ctx.Request().Header.Get(name))
 					}
 				}
-				continue
 			}
 		}
 	}
 
 	return request, nil
 }
 
-func contains(list []string, item string) bool {
-	for _, l := range list {
-		if l == item {
-			return true
-		}
-	}
-	return false
-}
-
 // SubgraphRules returns the list of header rules for the subgraph with the given name
 func SubgraphRules(rules *config.HeaderRules, subgraphName string) []config.RequestHeaderRule {
 	var subgraphRules []config.RequestHeaderRule