fix(api-gateway): cache GraphQL schemas per security context using visibilityMaskHash

Author: igorlukanin

packages/cubejs-api-gateway/src/gateway.ts

@@ -290,14 +290,25 @@ class ApiGateway {
         );
 
         const compilerApi = await this.getCompilerApi(req.context);
-        let schema = compilerApi.getGraphQLSchema();
+
+        // In devMode/playground, all fields are shown regardless of RBAC
+        const showAll = getEnv('devMode') || req.context.signedWithPlaygroundAuthSecret;
+
+        // Get metaConfig with visibilityMaskHash for RBAC-based schema caching
+        const metaConfigResult = await compilerApi.metaConfig(req.context, {
+          requestId: req.context.requestId,
+          includeVisibilityMaskHash: true,
+        });
+        const { visibilityMaskHash, cubes: metaConfigCubes } = metaConfigResult;
+
+        // Cache key: 'all' for devMode (RBAC doesn't matter), or visibilityMaskHash for RBAC-filtered schemas
+        const cacheKey = showAll ? 'all' : (visibilityMaskHash || 'default');
+
+        let schema = compilerApi.getGraphQLSchema(cacheKey);
         if (!schema) {
-          let metaConfig = await compilerApi.metaConfig(req.context, {
-            requestId: req.context.requestId,
-          });
-          metaConfig = this.filterVisibleItemsInMeta(req.context, metaConfig);
-          schema = makeSchema(metaConfig);
-          compilerApi.setGraphQLSchema(schema);
+          const filteredMeta = this.filterVisibleItemsInMeta(req.context, metaConfigCubes);
+          schema = makeSchema(filteredMeta);
+          compilerApi.setGraphQLSchema(schema, cacheKey);
         }
         return graphqlHTTP({
           schema,

packages/cubejs-server-core/src/core/CompilerApi.ts

@@ -125,7 +125,7 @@ export class CompilerApi {
 
   protected compiledScriptCacheInterval?: NodeJS.Timeout;
 
-  protected graphqlSchema?: GraphQLSchema;
+  protected graphqlSchemas: Map<string, GraphQLSchema> = new Map();
 
   protected compilers?: Promise<Compiler>;
 
@@ -193,15 +193,15 @@ export class CompilerApi {
     // using safeguard for potential dangling references.
     this.compilers = disposedProxy('compilers', 'disposed CompilerApi instance');
     this.queryFactory = disposedProxy('queryFactory', 'disposed CompilerApi instance');
-    this.graphqlSchema = undefined;
+    this.graphqlSchemas.clear();
   }
 
-  public setGraphQLSchema(schema: GraphQLSchema): void {
-    this.graphqlSchema = schema;
+  public setGraphQLSchema(schema: GraphQLSchema, cacheKey: string = 'default'): void {
+    this.graphqlSchemas.set(cacheKey, schema);
   }
 
-  public getGraphQLSchema(): GraphQLSchema {
-    return this.graphqlSchema;
+  public getGraphQLSchema(cacheKey: string = 'default'): GraphQLSchema | undefined {
+    return this.graphqlSchemas.get(cacheKey);
   }
 
   public createNativeInstance(): NativeInstance {
@@ -959,25 +959,29 @@ export class CompilerApi {
 
   public async metaConfig(
     requestContext: Context,
-    options: { includeCompilerId?: boolean; requestId?: string } = {}
+    options: { includeCompilerId?: boolean; includeVisibilityMaskHash?: boolean; requestId?: string } = {}
   ): Promise<any> {
-    const { includeCompilerId, ...restOptions } = options;
+    const { includeCompilerId, includeVisibilityMaskHash, ...restOptions } = options;
     const compilers = await this.getCompilers(restOptions);
     const { cubes } = compilers.metaTransformer;
     const { visibilityMaskHash, cubes: patchedCubes } = await this.patchVisibilityByAccessPolicy(
       compilers,
       requestContext,
       cubes
     );
-    if (includeCompilerId) {
-      return {
-        cubes: patchedCubes,
+    if (includeCompilerId || includeVisibilityMaskHash) {
+      const result: any = { cubes: patchedCubes };
+      if (includeCompilerId) {
         // This compilerId is primarily used by the cubejs-backend-native or caching purposes.
         // By default, it doesn't account for member visibility changes introduced above by DAP.
         // Here we're modifying the original compilerId in a way that it's distinct for
         // distinct schema versions while still being a valid UUID.
-        compilerId: visibilityMaskHash ? this.mixInVisibilityMaskHash(compilers.compilerId, visibilityMaskHash) : compilers.compilerId,
-      };
+        result.compilerId = visibilityMaskHash ? this.mixInVisibilityMaskHash(compilers.compilerId, visibilityMaskHash) : compilers.compilerId;
+      }
+      if (includeVisibilityMaskHash) {
+        result.visibilityMaskHash = visibilityMaskHash;
+      }
+      return result;
     }
     return patchedCubes;
   }

packages/cubejs-testing/birdbox-fixtures/graphql-rbac/cube.js

@@ -0,0 +1,9 @@
+// Cube.js configuration for testing GraphQL schema caching with different security contexts
+module.exports = {
+  // Map security context to RBAC roles
+  contextToRoles: ({ securityContext }) => securityContext?.auth?.roles || ['*'],
+
+  // SAME app ID for all tenants - this forces them to share a CompilerApi instance
+  // which is where the GraphQL schema caching bug manifests
+  contextToAppId: () => 'CUBEJS_APP_shared',
+};

packages/cubejs-testing/birdbox-fixtures/graphql-rbac/model/Orders.js

@@ -0,0 +1,65 @@
+// Orders cube with RBAC-based field visibility using access policies
+// This tests the GraphQL schema caching bug where different tenants should see different fields
+
+cube('Orders', {
+  sql: `SELECT 1 as id, 100 as amount, 'secret123' as internal_code, 'premium' as tier`,
+
+  measures: {
+    count: {
+      type: 'count',
+    },
+    totalAmount: {
+      sql: 'amount',
+      type: 'sum',
+    },
+  },
+
+  dimensions: {
+    id: {
+      sql: 'id',
+      type: 'number',
+      primaryKey: true,
+    },
+    amount: {
+      sql: 'amount',
+      type: 'number',
+    },
+    // This field should only be visible to tenant-a
+    internalCode: {
+      sql: 'internal_code',
+      type: 'string',
+    },
+    // This field should only be visible to tenant-b
+    tier: {
+      sql: 'tier',
+      type: 'string',
+    },
+  },
+
+  // RBAC access policies - these apply visibility masks at runtime
+  accessPolicy: [
+    {
+      // Default policy for all roles - hide special fields
+      role: '*',
+      memberLevel: {
+        excludes: ['internalCode', 'tier'],
+      },
+    },
+    {
+      // tenant-a can see internalCode (include all, exclude only tier)
+      role: 'tenant-a',
+      memberLevel: {
+        includes: '*',
+        excludes: ['tier'],
+      },
+    },
+    {
+      // tenant-b can see tier (include all, exclude only internalCode)
+      role: 'tenant-b',
+      memberLevel: {
+        includes: '*',
+        excludes: ['internalCode'],
+      },
+    },
+  ],
+});

packages/cubejs-testing/test/smoke-graphql-rbac.test.ts

@@ -0,0 +1,116 @@
+/**
+ * Integration test for GraphQL schema caching per security context.
+ *
+ * This test verifies that when different users (with different RBAC roles)
+ * make GraphQL requests, they each get a schema appropriate to their
+ * access level - not a cached schema from another user.
+ *
+ * The fix uses `visibilityMaskHash` as the cache key for GraphQL schemas.
+ */
+
+// eslint-disable-next-line import/no-extraneous-dependencies
+import { afterAll, beforeAll, jest, expect } from '@jest/globals';
+import { sign } from 'jsonwebtoken';
+import fetch from 'node-fetch';
+
+import { BirdBox, getBirdbox } from '../src';
+import {
+  DEFAULT_CONFIG,
+  JEST_AFTER_ALL_DEFAULT_TIMEOUT,
+  JEST_BEFORE_ALL_DEFAULT_TIMEOUT,
+} from './smoke-tests';
+
+describe('GraphQL Schema Caching per Security Context', () => {
+  jest.setTimeout(60 * 5 * 1000);
+  let birdbox: BirdBox;
+
+  beforeAll(async () => {
+    birdbox = await getBirdbox(
+      'duckdb',
+      {
+        ...DEFAULT_CONFIG,
+        CUBEJS_DEV_MODE: 'false',
+        NODE_ENV: 'production',
+        CUBEJS_DB_TYPE: 'duckdb',
+      },
+      {
+        schemaDir: 'graphql-rbac/model',
+        cubejsConfig: 'graphql-rbac/cube.js',
+      }
+    );
+  }, JEST_BEFORE_ALL_DEFAULT_TIMEOUT);
+
+  afterAll(async () => {
+    await birdbox.stop();
+  }, JEST_AFTER_ALL_DEFAULT_TIMEOUT);
+
+  async function graphqlIntrospection(role: string): Promise<any> {
+    const token = sign({
+      auth: { roles: [role] },
+    }, DEFAULT_CONFIG.CUBEJS_API_SECRET, { expiresIn: '1h' });
+
+    // apiUrl includes /cubejs-api/v1, but GraphQL is at /cubejs-api/graphql
+    const baseUrl = birdbox.configuration.apiUrl.replace('/cubejs-api/v1', '');
+    const res = await fetch(`${baseUrl}/cubejs-api/graphql`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${token}`,
+      },
+      body: JSON.stringify({
+        query: '{ __type(name: "OrdersMembers") { fields { name } } }',
+      }),
+    });
+    return res.json();
+  }
+
+  test('tenant-a sees internalCode but not tier', async () => {
+    const result = await graphqlIntrospection('tenant-a');
+    const fields = result.data?.__type?.fields?.map((f: any) => f.name) || [];
+
+    expect(fields).toContain('internalCode');
+    expect(fields).not.toContain('tier');
+  });
+
+  test('tenant-b sees tier but not internalCode', async () => {
+    const result = await graphqlIntrospection('tenant-b');
+    const fields = result.data?.__type?.fields?.map((f: any) => f.name) || [];
+
+    expect(fields).toContain('tier');
+    expect(fields).not.toContain('internalCode');
+  });
+
+  test('alternating requests maintain correct schemas', async () => {
+    // Request A -> B -> A -> B to verify caching works correctly
+    const resultA1 = await graphqlIntrospection('tenant-a');
+    const resultB1 = await graphqlIntrospection('tenant-b');
+    const resultA2 = await graphqlIntrospection('tenant-a');
+    const resultB2 = await graphqlIntrospection('tenant-b');
+
+    const fieldsA1 = resultA1.data?.__type?.fields?.map((f: any) => f.name) || [];
+    const fieldsB1 = resultB1.data?.__type?.fields?.map((f: any) => f.name) || [];
+    const fieldsA2 = resultA2.data?.__type?.fields?.map((f: any) => f.name) || [];
+    const fieldsB2 = resultB2.data?.__type?.fields?.map((f: any) => f.name) || [];
+
+    // A should always see internalCode, never tier
+    expect(fieldsA1).toContain('internalCode');
+    expect(fieldsA1).not.toContain('tier');
+    expect(fieldsA2).toEqual(fieldsA1);
+
+    // B should always see tier, never internalCode
+    expect(fieldsB1).toContain('tier');
+    expect(fieldsB1).not.toContain('internalCode');
+    expect(fieldsB2).toEqual(fieldsB1);
+  });
+
+  test('default role sees neither internalCode nor tier', async () => {
+    const result = await graphqlIntrospection('default');
+    const fields = result.data?.__type?.fields?.map((f: any) => f.name) || [];
+
+    expect(fields).not.toContain('internalCode');
+    expect(fields).not.toContain('tier');
+    // Should still see basic fields
+    expect(fields).toContain('count');
+    expect(fields).toContain('amount');
+  });
+});