Allow landing page to be configured with a precomputed nonce (fix for…

… CF workers) (#7601) #7539 introduced a `v4()` call from the `uuid` package which broke CF workers (apollo-server-integrations/apollo-server-integration-cloudflare-workers#37). This change allows users to configure / precompute the `nonce` in advance to avoid making crypto-y calls on startup (which CF workers throws errors about).
apollographql · Jun 7, 2023 · 75b668d · 75b668d
1 parent 51b79ac
commit 75b668d
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 3 deletions.
diff --git a/.changeset/pink-mugs-pump.md b/.changeset/pink-mugs-pump.md
@@ -0,0 +1,19 @@
+---
+'@apollo/server': patch
+---
+
+Provide a new configuration option for landing page plugins `precomputedNonce` which allows users to provide a nonce and avoid calling into `uuid` functions on startup. This is useful for Cloudflare Workers where random number generation is not available on startup (only during requests). Unless you are using Cloudflare Workers, you can ignore this change.
+
+The example below assumes you've provided a `PRECOMPUTED_NONCE` variable in your `wrangler.toml` file.
+
+Example usage:
+```ts
+const server = new ApolloServer({
+  // ...
+  plugins: [
+    ApolloServerPluginLandingPageLocalDefault({
+      precomputedNonce: PRECOMPUTED_NONCE
+    })
+  ],
+});
+```
diff --git a/docs/source/api/plugin/landing-pages.mdx b/docs/source/api/plugin/landing-pages.mdx
@@ -448,8 +448,7 @@ An object containing initial HTTP header values to populate in the Explorer on l
 
 ###### `embed`
 
-`boolean | ApolloServerPluginEmbedded`
-`LandingPageProductionConfigOptions`
+`boolean | EmbeddableSandboxOptions`
 </td>
 <td>
 
@@ -461,6 +460,19 @@ The default value is `false`, in which case the landing page displays a basic `c
 
 You can configure the Explorer embedded on your Apollo Server endpoint with display and functional options. For supported options, see [`embed` options](#embed-options).
 
+</td>
+</tr>
+<tr>
+<td>
+
+###### `precomputedNonce`
+
+`string`
+</td>
+<td>
+
+The landing page renders with a randomly generated nonce for security purposes. If you'd like to provide your own nonce, you can do so here. This is useful for Cloudflare Workers which can't perform random number generation on startup.
+
 </td>
 </tr>
 

diff --git a/packages/server/src/plugin/landingPage/default/index.ts b/packages/server/src/plugin/landingPage/default/index.ts
@@ -89,7 +89,9 @@ function ApolloServerPluginLandingPageDefault<TContext extends BaseContext>(
   const version = maybeVersion ?? '_latest';
   const apolloServerVersion = `@apollo/server@${packageVersion}`;
 
-  const nonce = createHash('sha256').update(uuidv4()).digest('hex');
+  const nonce =
+    config.precomputedNonce ??
+    createHash('sha256').update(uuidv4()).digest('hex');
 
   return {
     __internal_installed_implicitly__: false,

diff --git a/packages/server/src/plugin/landingPage/default/types.ts b/packages/server/src/plugin/landingPage/default/types.ts
@@ -53,6 +53,13 @@ export type ApolloServerPluginLandingPageDefaultBaseOptions = {
 
   includeCookies?: boolean;
 
+  /**
+   * If specified, the landing page will use the provided nonce rather than
+   * compute its own. This is useful for Cloudflare Workers, which do not allow
+   * number generation on startup.
+   */
+  precomputedNonce?: string;
+
   // For Apollo use only.
   __internal_apolloStudioEnv__?: 'staging' | 'prod';
 };