fix(fga): pre-consume cache response body to prevent node-fetch clone hang when using fgaCacheUrl (#700)

yosiharan · claude · web-flow · commit 3b3d649159cc · 2026-03-23T12:28:39.000+02:00
* fix(fga): pre-consume cache response body to prevent node-fetch clone hang When fgaCacheUrl is set, postWithOptionalCache calls fetch() directly, bypassing fetchWrapper. The raw node-fetch Response was returned to transformResponse(), which calls clone().json() — the exact pattern fetchWrapper avoids with an explicit workaround for a known node-fetch issue where cloning a consumed body stream can hang indefinitely. Apply the same body pre-consumption fix (read text once, override clone/text/json with memoized versions) to postWithOptionalCache in both fga.ts and authz.ts. Fixes #699 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(fga): address PR review comments - Make json() override async so JSON.parse errors become rejected Promises rather than synchronous throws, matching Response.json() contract - Use mockImplementation for 1000-call concurrent test to return a fresh response object per call and avoid shared-mutation issues - Update regression test comment to remove stale "Skipped" wording and clarify the 100ms timeout intent Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/lib/management/authz.test.ts b/lib/management/authz.test.ts
@@ -613,6 +613,7 @@ describe('Management Authz', () => {
       const targets = { targets: ['u1'] };
       fetchMock.mockResolvedValue({
         ok: true,
+        text: async () => JSON.stringify(targets),
         json: async () => targets,
         clone: () => ({ json: async () => targets }),
         status: 200,
@@ -640,6 +641,7 @@ describe('Management Authz', () => {
       const relationsResponse = { relations: [mockRelation] };
       fetchMock.mockResolvedValue({
         ok: true,
+        text: async () => JSON.stringify(relationsResponse),
         json: async () => relationsResponse,
         clone: () => ({ json: async () => relationsResponse }),
         status: 200,
diff --git a/lib/management/authz.ts b/lib/management/authz.ts
@@ -39,6 +39,12 @@ const WithAuthz = (httpClient: HttpClient, config?: FGAConfig) => {
         });
 
         if (response.ok) {
+          // Pre-consume body to avoid node-fetch clone issues
+          // (same workaround as fetchWrapper in core-js-sdk)
+          const respText = await response.text();
+          (response as any).text = () => Promise.resolve(respText);
+          (response as any).json = async () => JSON.parse(respText);
+          (response as any).clone = () => response;
           return response;
         }
       } catch {
diff --git a/lib/management/fga.test.ts b/lib/management/fga.test.ts
@@ -198,6 +198,7 @@ describe('Management FGA', () => {
       const schema = { dsl: 'model AuthZ 1.0' };
       fetchMock.mockResolvedValue({
         ok: true,
+        text: async () => JSON.stringify({}),
         json: async () => ({}),
         clone: () => ({ json: async () => ({}) }),
         status: 200,
@@ -223,6 +224,7 @@ describe('Management FGA', () => {
       const relations = [relation1];
       fetchMock.mockResolvedValue({
         ok: true,
+        text: async () => JSON.stringify({}),
         json: async () => ({}),
         clone: () => ({ json: async () => ({}) }),
         status: 200,
@@ -248,6 +250,7 @@ describe('Management FGA', () => {
       const relations = [relation1];
       fetchMock.mockResolvedValue({
         ok: true,
+        text: async () => JSON.stringify({}),
         json: async () => ({}),
         clone: () => ({ json: async () => ({}) }),
         status: 200,
@@ -271,10 +274,12 @@ describe('Management FGA', () => {
 
     it('should use cache URL for check when configured', async () => {
       const relations = [relation1, relation2];
+      const checkBody = { tuples: mockCheckResponseRelations };
       fetchMock.mockResolvedValue({
         ok: true,
-        json: async () => ({ tuples: mockCheckResponseRelations }),
-        clone: () => ({ json: async () => ({ tuples: mockCheckResponseRelations }) }),
+        text: async () => JSON.stringify(checkBody),
+        json: async () => checkBody,
+        clone: () => ({ json: async () => checkBody }),
         status: 200,
         headers: new Map(),
       });
@@ -318,6 +323,7 @@ describe('Management FGA', () => {
       const customConfig = { ...fgaConfig, fgaCacheTimeoutMs: 60000 };
       fetchMock.mockResolvedValue({
         ok: true,
+        text: async () => JSON.stringify({}),
         json: async () => ({}),
         clone: () => ({ json: async () => ({}) }),
         status: 200,
@@ -335,6 +341,7 @@ describe('Management FGA', () => {
       async (invalidValue) => {
         fetchMock.mockResolvedValue({
           ok: true,
+          text: async () => JSON.stringify({}),
           json: async () => ({}),
           clone: () => ({ json: async () => ({}) }),
           status: 200,
@@ -347,5 +354,128 @@ describe('Management FGA', () => {
         expect(fetchMock).toHaveBeenCalled();
       },
     );
+
+    it('should return correct data for a large check response (1206 tuples) via cache path', async () => {
+      const largeTuples = Array.from({ length: 1206 }, (_, i) => ({
+        resource: `u${i}`,
+        resourceType: 'user',
+        relation: 'member',
+        target: `g${i}`,
+        targetType: 'group',
+        allowed: i % 2 === 0,
+      }));
+      const responseBody = { tuples: largeTuples };
+      const bodyText = JSON.stringify(responseBody);
+      fetchMock.mockResolvedValue({
+        ok: true,
+        text: async () => bodyText,
+        json: async () => responseBody,
+        clone: () => ({ json: async () => responseBody }),
+        status: 200,
+      });
+
+      const result = await WithFGA(mockHttpClient, fgaConfig).check(
+        largeTuples.map(({ resource, resourceType, relation, target, targetType }) => ({
+          resource,
+          resourceType,
+          relation,
+          target,
+          targetType,
+        })),
+      );
+
+      expect(fetchMock).toHaveBeenCalled();
+      expect(mockHttpClient.post).not.toHaveBeenCalled();
+      expect(result.data).toHaveLength(1206);
+      expect(result.data![0]).toEqual(largeTuples[0]);
+      expect(result.data![1205]).toEqual(largeTuples[1205]);
+    });
+
+    it('should handle 1000+ concurrent check calls via cache path', async () => {
+      const singleTuple = [relation1];
+      const responseBody = { tuples: [{ ...relation1, allowed: true }] };
+      const bodyText = JSON.stringify(responseBody);
+      fetchMock.mockImplementation(() =>
+        Promise.resolve({
+          ok: true,
+          text: async () => bodyText,
+          json: async () => responseBody,
+          clone: () => ({ json: async () => responseBody }),
+          status: 200,
+        }),
+      );
+
+      const calls = Array.from({ length: 1000 }, () =>
+        WithFGA(mockHttpClient, fgaConfig).check(singleTuple),
+      );
+      const results = await Promise.all(calls);
+
+      expect(fetchMock).toHaveBeenCalledTimes(1000);
+      expect(mockHttpClient.post).not.toHaveBeenCalled();
+      results.forEach((result) => {
+        expect(result.ok).toBe(true);
+        expect(result.data).toHaveLength(1);
+        expect(result.data![0].allowed).toBe(true);
+      });
+    });
+
+    // Regression test for the node-fetch clone hang this fix addresses.
+    // Without the body pre-consumption fix, transformResponse calls clone().json() on the
+    // raw node-fetch Response. When the body stream is already consumed, node-fetch's
+    // clone().json() returns a Promise that never resolves — causing check() to hang
+    // indefinitely with no timeout protection (the AbortController is already cleared).
+    // With the fix, .clone() is overridden in postWithOptionalCache before transformResponse
+    // sees it, so it always resolves immediately. The 100ms timeout is intentionally tight:
+    // with the fix the call completes in <5ms; without it, it hangs indefinitely.
+    it('should not hang when cache response .clone().json() never resolves (simulates node-fetch hang on consumed stream)', async () => {
+      const responseBody = { tuples: [{ ...relation1, allowed: true }] };
+      const bodyText = JSON.stringify(responseBody);
+      fetchMock.mockResolvedValue({
+        ok: true,
+        text: async () => bodyText,
+        json: async () => responseBody,
+        // Simulate node-fetch: clone().json() on a consumed body stream hangs forever
+        clone: () => ({ json: () => new Promise(() => {}) }),
+        status: 200,
+      });
+
+      // Without fix: hangs indefinitely (clone().json() never settles)
+      // With fix: .clone() is overridden → resolves immediately from memoized body
+      const result = await WithFGA(mockHttpClient, fgaConfig).check([relation1]);
+      expect(result.ok).toBe(true);
+      expect(result.data).toHaveLength(1);
+    }, 100);
+
+    it('should not crash when cache response .clone() would throw (body pre-consumed)', async () => {
+      const responseBody = { tuples: [{ ...relation1, allowed: true }] };
+      const bodyText = JSON.stringify(responseBody);
+      // Simulate a raw node-fetch response where .clone() would throw
+      fetchMock.mockResolvedValue({
+        ok: true,
+        text: async () => bodyText,
+        json: async () => responseBody,
+        clone: () => {
+          throw new Error('clone failed — body already consumed');
+        },
+        status: 200,
+      });
+
+      // After the fix, .clone() is overridden before transformResponse sees it
+      const result = await WithFGA(mockHttpClient, fgaConfig).check([relation1]);
+
+      expect(fetchMock).toHaveBeenCalled();
+      expect(result.ok).toBe(true);
+      expect(result.data).toHaveLength(1);
+    });
+
+    it('should fall back to httpClient when cache returns non-OK status', async () => {
+      fetchMock.mockResolvedValue({ ok: false, status: 503 });
+
+      const schema = { dsl: 'test' };
+      await WithFGA(mockHttpClient, fgaConfig).saveSchema(schema);
+
+      expect(fetchMock).toHaveBeenCalled();
+      expect(mockHttpClient.post).toHaveBeenCalledWith(apiPaths.fga.schema, schema);
+    });
   });
 });
diff --git a/lib/management/fga.ts b/lib/management/fga.ts
@@ -37,6 +37,12 @@ const WithFGA = (httpClient: HttpClient, config?: FGAConfig) => {
         });
 
         if (response.ok) {
+          // Pre-consume body to avoid node-fetch clone issues
+          // (same workaround as fetchWrapper in core-js-sdk)
+          const respText = await response.text();
+          (response as any).text = () => Promise.resolve(respText);
+          (response as any).json = async () => JSON.parse(respText);
+          (response as any).clone = () => response;
           return response;
         }
       } catch {
