Help understanding ApolloLink/concat order


So I have a basic Apollo Client 3.x file that looks like below. The console.log line reports that the authorization header is correct, but the request in the network tab of the browser’s Developer Tools doesn’t reflect anything I try to do to the headers: the console.log looks the way I’d like it to, but the request the browser sees has no authorization header, and still has a cookies header

Below are the contents of an apolloClient.ts file, and I import { client } from './apolloClient'; in other places to use this client

import { ApolloLink, HttpLink } from '@apollo/client';
import { ApolloClient, InMemoryCache } from '@apollo/client';
import { getCookieString, getInfoFromCookie } from '.';

const httpLink = new HttpLink( {
	uri: `${ process.env.NEXT_PUBLIC_API_URL }/query`,
	credentials: 'include'
} );

const authMiddleware = new ApolloLink( ( operation, forward ) => {
	operation.setContext( ( { headers } ) => {
		const response = {
			headers: {
		const token = 'abc123';
		response.headers.authorization = `Bearer ${ token }`;
		delete response.cookie;
		return response;
		console.log( response );
	} );
	// return the headers to the context so httpLink can read them
	return forward( operation );
} );

export const client = new ApolloClient( {
	connectToDevTools: process.env.NODE_ENV === 'development',
	cache: new InMemoryCache(),
	link: authMiddleware.concat( httpLink )
} );

I also make an SSR client.query in case that helps you help me: headers I set in there via context: { headers: { autorization: Bearer ${ token } } } seems to get passed to apollo client and then to the API layer.

But my core problem is that ApolloLink seems to be running AFTER the request gets sent maybe…?

Thank you for your help!

Although I was unable to figure out how to remove headers from the Apollo Client requests, I was able to add them. My problem with the authentication header turned out to be serverless offline not liking the cookie header. Since I couldn’t remove that header I ended up disabling cookie checking…I really wish I could just remove the cookie header when I wanted to…oh well

I believe the cookie header is controlled by credentials