Fix DIFC proxy GraphQL endpoint rewriting for github.com API base (#4030)

lpcox · web-flow · commit 515f316cea94 · 2026-04-17T09:31:48.000-07:00
The DIFC proxy was forwarding GraphQL traffic to `/api/graphql` even when upstream was github.com-style, causing 404s and repeated retries in cli-proxy workflows. This updates GraphQL path normalization to target the correct endpoint based on configured API base. - **Endpoint rewrite logic** - Updated proxy forwarding to rewrite GraphQL paths conditionally: - upstream ending in `/api/v3` (GHES) → `/api/graphql` - upstream without `/api/v3` (github.com) → `/graphql` - Applies consistently for incoming GraphQL variants: `/graphql`, `/api/graphql`, `/api/v3/graphql`. - Preserves query strings during rewrite. - **Coverage for dotcom behavior** - Added focused tests for github.com-style API base to assert canonical forwarding to `/graphql` across all supported input path forms. - Kept existing GHES coverage intact. - **Handler expectation alignment** - Updated GraphQL query-string preservation expectation in handler tests to reflect normalized dotcom forwarding path. ```go pathOnly, query, hasQuery := strings.Cut(path, "?") if IsGraphQLPath(pathOnly) { graphqlURL := s.githubAPIURL + "/graphql" if strings.HasSuffix(s.githubAPIURL, "/api/v3") { graphqlURL = strings.TrimSuffix(s.githubAPIURL, "/api/v3") + "/api/graphql" } url = graphqlURL if hasQuery { url += "?" + query } } ``` > [!WARNING] > > <details> > <summary>Firewall rules blocked me from connecting to one or more addresses (expand for details)</summary> > > #### I tried to connect to the following addresses, but was blocked by firewall rules: > > - `example.com` > - Triggering command: `/tmp/go-build203165019/b514/launcher.test /tmp/go-build203165019/b514/launcher.test -test.testlogfile=/tmp/go-build203165019/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build203165019/b405/vet.cfg 1.80.0/internal/resolver/delegatingresolver/delegatingresolver.go 0845442/b151/ x_amd64/vet e.go esource/v1` (dns block) > - `invalid-host-that-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build203165019/b496/config.test /tmp/go-build203165019/b496/config.test -test.testlogfile=/tmp/go-build203165019/b496/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build203165019/b317/vet.cfg /sdk@v1.43.0/trago1.25.8 /sdk@v1.43.0/tra-c=4 x_amd64/vet ctor idle E=3 x_amd64/vet 0845�� g_.a otection x_amd64/vet --gdwarf-5 rs/otlp/otlptrac-atomic -o x_amd64/vet` (dns block) > - `nonexistent.local` > - Triggering command: `/tmp/go-build203165019/b514/launcher.test /tmp/go-build203165019/b514/launcher.test -test.testlogfile=/tmp/go-build203165019/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build203165019/b405/vet.cfg 1.80.0/internal/resolver/delegatingresolver/delegatingresolver.go 0845442/b151/ x_amd64/vet e.go esource/v1` (dns block) > - `slow.example.com` > - Triggering command: `/tmp/go-build203165019/b514/launcher.test /tmp/go-build203165019/b514/launcher.test -test.testlogfile=/tmp/go-build203165019/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build203165019/b405/vet.cfg 1.80.0/internal/resolver/delegatingresolver/delegatingresolver.go 0845442/b151/ x_amd64/vet e.go esource/v1` (dns block) > - `this-host-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build203165019/b523/mcp.test /tmp/go-build203165019/b523/mcp.test -test.testlogfile=/tmp/go-build203165019/b523/testlog.txt -test.paniconexit0 -test.timeout=10m0s 0845�� g_.a GBv9xrrGM x_amd64/vet -p go-sdk/internal/-atomic -lang=go1.24 x_amd64/vet ortc�� cfg 64/src/net/textp-ifaceassert x_amd64/vet . --gdwarf2 --64 x_amd64/vet` (dns block) > > If you need me to access, download, or install something from one of these locations, you can either: > > - Configure [Actions setup steps](https://gh.io/copilot/actions-setup-steps) to set up my environment, which run before the firewall is enabled > - Add the appropriate URLs or hosts to the custom allowlist in this repository's [Copilot coding agent settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent) (admins only) > > </details>
diff --git a/internal/proxy/handler_test.go b/internal/proxy/handler_test.go
@@ -195,7 +195,7 @@ func TestServeHTTP_GraphQLPreservesQueryString(t *testing.T) {
 		wantPath string
 	}{
 		{name: "graphql path", path: "/graphql?foo=bar", wantPath: "/graphql?foo=bar"},
-		{name: "ghes api graphql path", path: "/api/graphql?foo=bar", wantPath: "/api/graphql?foo=bar"},
+		{name: "ghes api graphql path", path: "/api/graphql?foo=bar", wantPath: "/graphql?foo=bar"},
 		{name: "gh host prefixed graphql path", path: "/api/v3/graphql?foo=bar", wantPath: "/graphql?foo=bar"},
 	}
 
diff --git a/internal/proxy/proxy.go b/internal/proxy/proxy.go
@@ -344,8 +344,12 @@ func (r *restBackendCaller) CallTool(ctx context.Context, toolName string, args
 func (s *Server) forwardToGitHub(ctx context.Context, method, path string, body io.Reader, contentType string, clientAuth string) (*http.Response, error) {
 	url := s.githubAPIURL + path
 	pathOnly, query, hasQuery := strings.Cut(path, "?")
-	if strings.HasSuffix(s.githubAPIURL, "/api/v3") && IsGraphQLPath(pathOnly) {
-		url = strings.TrimSuffix(s.githubAPIURL, "/api/v3") + "/api/graphql"
+	if IsGraphQLPath(pathOnly) {
+		graphqlURL := s.githubAPIURL + "/graphql"
+		if strings.HasSuffix(s.githubAPIURL, "/api/v3") {
+			graphqlURL = strings.TrimSuffix(s.githubAPIURL, "/api/v3") + "/api/graphql"
+		}
+		url = graphqlURL
 		if hasQuery {
 			url += "?" + query
 		}
diff --git a/internal/proxy/proxy_test.go b/internal/proxy/proxy_test.go
@@ -887,3 +887,46 @@ func TestForwardToGitHub_RewritesGraphQLPathForGHESAPIBase(t *testing.T) {
 		})
 	}
 }
+
+func TestForwardToGitHub_RewritesGraphQLPathForDotComAPIBase(t *testing.T) {
+	var receivedPath string
+	var receivedQuery string
+	upstream := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedPath = r.URL.Path
+		receivedQuery = r.URL.RawQuery
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer upstream.Close()
+
+	s := &Server{
+		githubAPIURL: upstream.URL,
+		httpClient:   upstream.Client(),
+	}
+
+	tests := []struct {
+		name      string
+		path      string
+		wantPath  string
+		wantQuery string
+	}{
+		{name: "plain graphql endpoint", path: "/graphql", wantPath: "/graphql"},
+		{name: "ghes api graphql endpoint", path: "/api/graphql", wantPath: "/graphql"},
+		{name: "gh host prefixed graphql endpoint", path: "/api/v3/graphql", wantPath: "/graphql"},
+		{name: "graphql endpoint with query string", path: "/api/graphql?foo=bar", wantPath: "/graphql", wantQuery: "foo=bar"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			receivedPath = ""
+			receivedQuery = ""
+
+			resp, err := s.forwardToGitHub(context.Background(), http.MethodPost, tt.path, nil, "application/json", "")
+			require.NoError(t, err)
+			require.NotNil(t, resp)
+			defer resp.Body.Close()
+
+			assert.Equal(t, tt.wantPath, receivedPath)
+			assert.Equal(t, tt.wantQuery, receivedQuery)
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -195,7 +195,7 @@ func TestServeHTTP_GraphQLPreservesQueryString(t *testing.T) {`
`195`	`195`	`wantPath string`
`196`	`196`	`}{`
`197`	`197`	`{name: "graphql path", path: "/graphql?foo=bar", wantPath: "/graphql?foo=bar"},`
`198`		`- {name: "ghes api graphql path", path: "/api/graphql?foo=bar", wantPath: "/api/graphql?foo=bar"},`
	`198`	`+ {name: "ghes api graphql path", path: "/api/graphql?foo=bar", wantPath: "/graphql?foo=bar"},`
`199`	`199`	`{name: "gh host prefixed graphql path", path: "/api/v3/graphql?foo=bar", wantPath: "/graphql?foo=bar"},`
`200`	`200`	`}`
`201`	`201`