CookieOverflow for Own Schema Mount

[grdmnt]

Describe the bug

When using the own schema mount option, our session cookie overflows. This happened immediately after I removed the routes.rb mount option. This is due to the value being saved in the session for 'warden.user.user.key' to be the entire object rather than some string or integer.

Environment

source 'https://rubygems.org'
git_source(:github) { |repo| "https://github.com/#{repo}.git" }

ruby '2.6.6'

gem 'rails', '~> 6.0.3', '>= 6.0.3.1'

gem 'activeadmin', '~> 2.7.0'
gem 'activeadmin_quill_editor', '~> 0.2.0'
gem 'arctic_admin', '~> 3.2.0'
gem 'bootsnap', '>= 1.4.2', require: false
gem 'graphiql-rails', '~> 1.7.0'
gem 'graphql', '~> 1.10.13'
gem 'graphql_devise', '~> 0.12.3'
gem 'html2text', '~> 0.3.1'
gem 'money-rails', '~>1.13.3'
gem 'pg', '>= 0.18', '< 2.0'
gem 'puma', '~> 4.1'
gem 'pundit', '~> 2.1.0'
gem 'rack-cors', '~> 1.1.1'
gem 'state_machines-activerecord', '~> 0.6.0'

group :development, :test do
  gem 'byebug', platforms: %i[mri mingw x64_mingw]
  gem 'factory_bot_rails', '~> 5.2.0'
  gem 'faker', '~> 2.12'
  gem 'pry', '~> 0.13.1'
  gem 'rspec-rails', '~> 4.0.1'
end

group :development do
  gem 'listen', '~> 3.2'
  gem 'rubocop', '~> 0.83.0', require: false
  gem 'rubocop-rails', '~> 2.5.2', require: false
  gem 'rubocop-rspec', '~> 1.39.0', require: false
  gem 'spring'
  gem 'spring-watcher-listen', '~> 2.0.0'
end

Steps to reproduce

1. Use the schema mount option for this gem. Don't mix both. Putting the routes mount option back, fixes the issue.
2. Make sure to do the graphql_context(:user) to authenticate the user.
3. Try any authenticated query/mutation and it should raise a cookieoverflow error.

Expected behavior

It should just return something like this when accessing the session object, instead of putting the entire activerecord object.

{"session_id"=>"a7e8a69beb3f5b1bf4aa2edec48cd46a", "warden.user.user.key"=>[[104], "$2a$04$mH7drnwTc.3gqJt4YMmXb."]}

Actual behavior

It returned the entire object instead of just an id and some key.

Reproducible demo

Tried using the dummy app found in the gem. Here are the steps I did to reproduce the problem:

1. Comment these lines from the routes file:

mount_graphql_devise_for 'User', at: '/api/v1/graphql_auth', operations: {
    login:   Mutations::Login,
    sign_up: Mutations::SignUp
  }, additional_mutations: {
    register_confirmed_user: Mutations::RegisterConfirmedUser
  }, additional_queries: {
    public_user: Resolvers::PublicUser
  }

This would essentially make the User resource to be solely mounted in the graphql schema only.
2. Add :logout in the User resource loader in the dummy schema file. This will be used for the demo.
3. Change the post request for the logout spec to use the 'graphql' schema instead of the default 'graphql_auth' one.
4. Put a binding.pry first line in the resolve function for the logout mutation and check for controller.session.to_h

[mcelicalderon]

It's a long shot, but could you please try enabling eager_load? I'm thinking it might be related to the devise mapping being added when the request is made, instead of it loading when the routes are loaded and no user has been identified.

[grdmnt]

Tried setting eager.load = true, and it still sets the warden user key into the activerecord object.

[mcelicalderon]

OK thanks. I'll look into this ASAP. A fix for now might be keeping the mount method on the routes and skip all operations with only: []

[grdmnt]

For now, I actually just changed to activerecord_storage instead of cookie_store to handle that bigger payload 😂 Now that you mentioned it, I think your workaround is a lot better 😂 Thanks man!