Warning: Apollo Server >= 2.4 caches validation result

[ravangen]

A feature added to Apollo Server 2.4 (apollographql/apollo-server#2111) introduces a document store that caches successfully parsed and validated documents for future requests (LRU).

This can lead to a case where a query with good variables passes the dynamic validation cost check (see #12) and subsequent requests with the same query but different, larger variables would not trigger the validation rule due to the usage of the cache.

I don't have a sample reproduction repository, but here is an example with maximumCost: 10:

Schema:

type Query {
  "List businesses."
  businesses(page: Int! = 1, pageSize: Int! = 10): BusinessConnection
    @cost(complexity: 1, multipliers: ["pageSize"])
}

Query:

query ($pageSize: Int! = 10) {
  businesses(pageSize: $pageSize) {
    edges {
      node {
        id
        name
      }
    }
  }
}

First request query variables (validation is run) - passes validation:

{
  "pageSize": 10
}

Second request query variables (validation is skipped) - should fail validation but passes

{
  "pageSize": 100
}

[ellispritchard]

Verified.

Since you can't disable this cache in ApolloServer (perhaps a PR?), you have to subclass ApolloServer and set the documentStore property to undefined, via createGraphQLServerOptions.

NB you have to subclass ApolloServer to get graphql-cost-analysis working with variables in Apollo Server 2 anyway, see #12.