Summary

SSR GraphQL requests can lose authenticated context because the server Apollo client overwrites the Cookie header with only csrftoken.

Affected code

• frontend/src/server/apolloClient.ts

Problem

In the server Apollo setContext, headers are set as:

• X-CSRFToken: <token>
• Cookie: csrftoken=<token>

This replaces the full incoming cookie header instead of preserving/merging it, so session/auth cookies are dropped.

Why this is an issue

Any SSR GraphQL operation that depends on authenticated session cookies may behave as unauthenticated (or inconsistently), because the outgoing request no longer carries full cookie state.

Reproduction

1. Sign in to Nest in browser (session/auth cookies present).
2. Open a route that performs server-side GraphQL via server/apolloClient.
3. Add temporary debug logging in frontend/src/server/apolloClient.ts to inspect outbound request headers.
4. Observe Cookie header contains only csrftoken=... and omits other cookies.

Expected

Server-side GraphQL requests should preserve incoming cookies (including session/auth cookies) and include CSRF safely.

Actual

Cookie is overwritten to only csrftoken=....

Proposed fix

• Preserve full incoming cookie header from request context.
• Merge or append CSRF cookie/token without discarding existing cookies.
• Keep X-CSRFToken behavior intact.

Acceptance criteria

• SSR Apollo requests include original session/auth cookies.
• CSRF token handling remains functional.
• Add regression test for header propagation/merge behavior in server Apollo client.