wrong behavie when there are same keys in responseInit.headers

I bumped into this, too. Just to clarify the use case, when using cookie-based auth it’s common to set two cookies to mitigate against CSRF attacks (known as the double-submit cookie pattern). I do think this would be a good thing for Apollo Server to eventually support, but I fear that doing so would be a breaking change.

As @yurist38 pointed out, Apollo Server is leaning on node-fetch’s Headers class which doesn’t allow for setting the same header key more than once (which would appear to be against the official fetch standard which specifically mentions:

A header list is essentially a specialized multimap. An ordered list of key-value pairs with potentially duplicate keys.

Furthermore the Header class appears to stringify any value passed to set, such that ["foo", "bar"] will turn into "foo, bar". So, not only can we not call set twice with the same key, we can’t pass something more complicated to set.

I’m running apollo-server-lambda, and Lambda has an API for setting multi-value headers via the mutliValueHeaders key in the response object. So, my current work-around is to:

1. Stringify an array of cookie values (using JSON.stringify so that I can parse it back out again)
2. Proxy the Apollo handler to check the value for set-cookie and parse it back into an array, and then set mutltiValueHeaders instead of plain headers.

Here’s what that looks like for anyone curious:

const handleManyCookies = (headers = {}) => {
  if (headers["set-cookie"]) {
    try {
      const value = JSON.parse(headers["set-cookie"]);
      if (Array.isArray(value)) {
        return {
          multiValueHeaders: {
            ...headers,
            "set-cookie": value,
          },
        };
      }
    } catch (err) {
      return { headers };
    }
  }

  return { headers };
};

const proxiedHandler = (event, context, cb) => {
  const apolloHandler = server.createHandler({
    cors: {
      origin: "*",
      credentials: true,
    },
  });

  return apolloHandler(event, context, (err, response = {}) => {
    if (err) {
      cb(err);
    } else {
      const { headers, ...responseData } = response;
      const newHeaders = handleManyCookies(headers);

      cb(null, {
        ...responseData,
        ...newHeaders,
      });
    }
  });
};

I’d be wary of suggesting a way to address all of this in apollo-server because it feels like a pretty substantial change would be needed to the underlying way it handles headers. Even if node-fetch released support for multi-value headers tomorrow, there’d still need to be changes made in this library for correctly parsing that API change and applying it correctly to the various server plugins. To me, this feels like something the core team needs to decide if it wants to support (IMHO, it really ought to) and then come up with an approach that isn’t dependent on node-fetch (an Apollo-specific headers implementation).

Hope all this is helpful both to anyone else who lands here looking for a way around this, and to the core team in deciding how to move forward with this issue.

Any updates on this one? I clearly see that it’s not possible to send multiple cookies now, faced this issue in my project too. Please take a look at the problem! Thanks!