From 6f458062d4b94281b04e7802f721f94c2ad3c0a9 Mon Sep 17 00:00:00 2001
From: slayerjain <shubham@keploy.io>
Date: Mon, 8 Jun 2026 11:15:47 +0530
Subject: [PATCH] fix(restheart-mongo): deterministic GraphQL app cache +
 expires_in noise
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The keploy restheart-mongo lane flaked on two recorded fields; both are
app/JWT non-determinism, fixed the same way the lane already handles the
ACL cache and the access_token JWT:

1. post-graphql-halpeople (mongo mock-miss -> 500 MongoSocketReadException):
   RESTHeart's GraphQL service caches gql-apps app definitions with a 60s
   time-to-revalidate (app-cache-ttr, Caffeine nanoTime ticker) — the exact
   same time-freeze x cache-ttl interaction already documented for
   /mongoAclAuthorizer. Under `keploy test --freezeTime` the ticker is
   frozen, so the app cache never revalidates and RESTHeart issues a
   different number/order of `find gql-apps` mongo queries than were
   recorded; the unmatched find has no mock so keploy's mongo proxy closes
   the socket and RESTHeart returns 500 instead of the recorded response.
   Fix: add /graphql/app-cache-enabled->false to RHO so gql-apps is
   read-through every request (identical mongo stream at record & replay),
   mirroring the existing /mongoAclAuthorizer/cache-enabled->false.

2. post-token (expires_in 872 vs 871): /tokens returns expires_in =
   seconds-until-exp computed at request time; it can differ by 1s across
   record/replay when the request straddles a second boundary, even under
   --freezeTime. The JWT itself (access_token) is already noised; add
   expires_in to globalNoise.body for the same reason.

Signed-off-by: Shubham Jain <shubham@keploy.io>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: slayerjain <shubham@keploy.io>
---
 restheart-mongo/docker-compose.yml  | 18 +++++++++++++++++-
 restheart-mongo/keploy.yml.template |  7 +++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/restheart-mongo/docker-compose.yml b/restheart-mongo/docker-compose.yml
index 44797e9c..e5e0a8e6 100644
--- a/restheart-mongo/docker-compose.yml
+++ b/restheart-mongo/docker-compose.yml
@@ -27,7 +27,7 @@ services:
       # --freezeTime keeps `exp` valid. Pinning the secret keeps
       # the bearer signature verifiable across record→replay
       # container restarts (deterministic key, deterministic JWT).
-      RHO: '/mclient/connection-string->"mongodb://${RESTHEART_MONGO_IP:-172.36.0.10}:27017";/http-listener/host->"0.0.0.0";/core/log-level->"INFO";/jwtConfigProvider/key->"keploy-fixed-jwt-secret-for-deterministic-recordings";/mongoAclAuthorizer/cache-enabled->false'
+      RHO: '/mclient/connection-string->"mongodb://${RESTHEART_MONGO_IP:-172.36.0.10}:27017";/http-listener/host->"0.0.0.0";/core/log-level->"INFO";/jwtConfigProvider/key->"keploy-fixed-jwt-secret-for-deterministic-recordings";/mongoAclAuthorizer/cache-enabled->false;/graphql/app-cache-enabled->false'
       # Bound RESTHeart's JVM heap. RESTHeart 9.x's default uses
       # `MaxRAMPercentage=25` of cgroup memory, which on a typical
       # Woodpecker runner cgroup (~8GB) lands ~2GB heap. With three
@@ -59,6 +59,22 @@ services:
       # despite recorded 200. Disabling the cache makes ACL rules
       # read-through from mongo on every request — small perf cost,
       # but eliminates the time-freeze x cache-ttl interaction.
+      #
+      # Note on /graphql/app-cache-enabled->false in RHO:
+      # RESTHeart's GraphQL service caches gql-apps app definitions with a
+      # 60s time-to-revalidate (app-cache-ttr, Caffeine, nanoTime ticker) —
+      # the SAME time-freeze x cache-ttl interaction as the ACL cache above.
+      # flow.sh POSTs a "halpeople" GraphQL app to gql-apps and then fires
+      # POST /graphql/halpeople queries. At record the wall clock advances,
+      # so the app cache revalidates (re-reading gql-apps) at TTR
+      # boundaries; under `keploy test --freezeTime` the ticker is frozen so
+      # the cache never revalidates, producing a DIFFERENT number/order of
+      # `find gql-apps` mongo queries than were recorded. The unmatched
+      # find has no recorded mock -> keploy's mongo proxy closes the socket
+      # -> RESTHeart returns 500 (MongoSocketReadException) instead of the
+      # recorded response (the post-graphql-halpeople flakiness). Disabling
+      # the app cache makes gql-apps read-through on every request, so the
+      # mongo query stream is identical at record and replay.
     depends_on:
       mongo:
         condition: service_healthy
diff --git a/restheart-mongo/keploy.yml.template b/restheart-mongo/keploy.yml.template
index a16bc5e2..8b5a3736 100644
--- a/restheart-mongo/keploy.yml.template
+++ b/restheart-mongo/keploy.yml.template
@@ -61,3 +61,10 @@ test:
         client_ip: []
         latencyMs: []
         access_token: []
+        # RESTHeart's /tokens endpoint returns expires_in = seconds until
+        # the JWT `exp`, computed as (exp - now) at request time. Even under
+        # --freezeTime the recorded vs replayed value can differ by 1s when
+        # the request straddles a second boundary (observed 872 vs 871 on
+        # post-token), so the countdown must be treated as noise just like
+        # the access_token JWT itself.
+        expires_in: []