Add CSRF header if provided fix #253

oliemansm · oliemansm · commit 5500517b5592 · 2019-06-20T08:22:05.000+02:00
diff --git a/graphiql-spring-boot-autoconfigure/build.gradle b/graphiql-spring-boot-autoconfigure/build.gradle
@@ -18,10 +18,11 @@
  */
 dependencies{
     annotationProcessor "org.springframework.boot:spring-boot-configuration-processor:$LIB_SPRING_BOOT_VER"
-    
+
     compile "org.springframework.boot:spring-boot-autoconfigure:$LIB_SPRING_BOOT_VER"
     compile "org.apache.commons:commons-text:1.1"
     compileOnly "org.springframework.boot:spring-boot-starter-web:$LIB_SPRING_BOOT_VER"
+    compileOnly "org.springframework.boot:spring-boot-starter-security:$LIB_SPRING_BOOT_VER"
 
     testCompile "org.springframework.boot:spring-boot-starter-web:$LIB_SPRING_BOOT_VER"
     testCompile "org.springframework.boot:spring-boot-starter-test:$LIB_SPRING_BOOT_VER"
diff --git a/graphiql-spring-boot-autoconfigure/src/main/java/com/oembedler/moon/graphiql/boot/GraphiQLController.java b/graphiql-spring-boot-autoconfigure/src/main/java/com/oembedler/moon/graphiql/boot/GraphiQLController.java
@@ -2,17 +2,18 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.text.StrSubstitutor;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.env.Environment;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.MediaType;
+import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.stereotype.Controller;
 import org.springframework.util.StreamUtils;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 
 import javax.annotation.PostConstruct;
@@ -28,6 +29,7 @@
 /**
  * @author Andrew Potter
  */
+@Slf4j
 @Controller
 public class GraphiQLController {
 
@@ -36,30 +38,6 @@ public class GraphiQLController {
     private static final String GRAPHIQL = "graphiql";
     private static final String FAVICON_GRAPHQL_ORG = "//graphql.org/img/favicon.png";
 
-    @Value("${graphiql.endpoint.graphql:/graphql}")
-    private String graphqlEndpoint;
-
-    @Value("${graphiql.endpoint.subscriptions:/subscriptions}")
-    private String subscriptionsEndpoint;
-
-    @Value("${graphiql.static.basePath:/}")
-    private String staticBasePath;
-
-    @Value("${graphiql.pageTitle:GraphiQL}")
-    private String pageTitle;
-
-    @Value("${graphiql.cdn.enabled:false}")
-    private Boolean graphiqlCdnEnabled;
-
-    @Value("${graphiql.cdn.version:0.13.0}")
-    private String graphiqlCdnVersion;
-
-    @Value("${graphiql.subscriptions.timeout:30}")
-    private Integer subscriptionsTimeout;
-
-    @Value("${graphiql.subscriptions.reconnect:false}")
-    private Boolean subscriptionsReconnect;
-
     @Autowired
     private Environment environment;
 
@@ -68,7 +46,7 @@ public class GraphiQLController {
 
     private String template;
     private String props;
-    private String headers;
+    private Properties headerProperties;
 
     @PostConstruct
     public void onceConstructed() throws IOException {
@@ -87,12 +65,11 @@ private void loadProps() throws IOException {
         props = new PropsLoader(environment).load();
     }
 
-    private void loadHeaders() throws JsonProcessingException {
+    private void loadHeaders() {
         PropertyGroupReader propertyReader = new PropertyGroupReader(environment, "graphiql.headers.");
-        Properties headerProperties = propertyReader.load();
+        headerProperties = propertyReader.load();
         addIfAbsent(headerProperties, "Accept");
         addIfAbsent(headerProperties, "Content-Type");
-        this.headers = new ObjectMapper().writeValueAsString(headerProperties);
     }
 
     private void addIfAbsent(Properties headerProperties, String header) {
@@ -101,26 +78,35 @@ private void addIfAbsent(Properties headerProperties, String header) {
         }
     }
 
-    @RequestMapping(value = "${graphiql.mapping:/graphiql}")
+    @GetMapping(value = "${graphiql.mapping:/graphiql}")
     public void graphiql(HttpServletRequest request, HttpServletResponse response, @PathVariable Map<String, String> params) throws IOException {
         response.setContentType("text/html; charset=UTF-8");
+        Object csrf = request.getAttribute("_csrf");
+        if (csrf != null) {
+            CsrfToken csrfToken = (CsrfToken) csrf;
+            headerProperties.setProperty(csrfToken.getHeaderName(), csrfToken.getToken());
+        }
 
         Map<String, String> replacements = getReplacements(
                 constructGraphQlEndpoint(request, params),
-                request.getContextPath() + subscriptionsEndpoint,
-                request.getContextPath() + staticBasePath
+                request.getContextPath() + graphiQLProperties.getEndpoint().getSubscriptions(),
+                request.getContextPath() + graphiQLProperties.getSTATIC().getBasePath()
         );
 
         String populatedTemplate = StrSubstitutor.replace(template, replacements);
         response.getOutputStream().write(populatedTemplate.getBytes(Charset.defaultCharset()));
     }
 
-    private Map<String, String> getReplacements(String graphqlEndpoint, String subscriptionsEndpoint, String staticBasePath) {
+    private Map<String, String> getReplacements(
+            String graphqlEndpoint,
+            String subscriptionsEndpoint,
+            String staticBasePath
+    ) {
         Map<String, String> replacements = new HashMap<>();
         replacements.put("graphqlEndpoint", graphqlEndpoint);
         replacements.put("subscriptionsEndpoint", subscriptionsEndpoint);
         replacements.put("staticBasePath", staticBasePath);
-        replacements.put("pageTitle", pageTitle);
+        replacements.put("pageTitle", graphiQLProperties.getPageTitle());
         replacements.put("pageFavicon", getResourceUrl(staticBasePath, "favicon.ico", FAVICON_GRAPHQL_ORG));
         replacements.put("es6PromiseJsUrl", getResourceUrl(staticBasePath, "es6-promise.auto.min.js",
                 joinCdnjsPath("es6-promise", "4.1.1", "es6-promise.auto.min.js")));
@@ -131,19 +117,23 @@ private Map<String, String> getReplacements(String graphqlEndpoint, String subsc
         replacements.put("reactDomJsUrl", getResourceUrl(staticBasePath, "react-dom.min.js",
                 joinCdnjsPath("react-dom", "16.8.3", "umd/react-dom.production.min.js")));
         replacements.put("graphiqlCssUrl", getResourceUrl(staticBasePath, "graphiql.min.css",
-                joinJsDelivrPath(GRAPHIQL, graphiqlCdnVersion, "graphiql.css")));
+                joinJsDelivrPath(GRAPHIQL, graphiQLProperties.getCdn().getVersion(), "graphiql.css")));
         replacements.put("graphiqlJsUrl", getResourceUrl(staticBasePath, "graphiql.min.js",
-                joinJsDelivrPath(GRAPHIQL, graphiqlCdnVersion, "graphiql.min.js")));
+                joinJsDelivrPath(GRAPHIQL, graphiQLProperties.getCdn().getVersion(), "graphiql.min.js")));
         replacements.put("subscriptionsTransportWsBrowserClientUrl", getResourceUrl(staticBasePath,
                 "subscriptions-transport-ws-browser-client.js",
                 joinJsDelivrPath("subscriptions-transport-ws", "0.9.15", "browser/client.js")));
         replacements.put("graphiqlSubscriptionsFetcherBrowserClientUrl", getResourceUrl(staticBasePath,
                 "graphiql-subscriptions-fetcher-browser-client.js",
                 joinJsDelivrPath("graphiql-subscriptions-fetcher", "0.0.2", "browser/client.js")));
         replacements.put("props", props);
-        replacements.put("headers", headers);
-        replacements.put("subscriptionClientTimeout", String.valueOf(subscriptionsTimeout * 1000));
-        replacements.put("subscriptionClientReconnect", String.valueOf(subscriptionsReconnect));
+        try {
+            replacements.put("headers", new ObjectMapper().writeValueAsString(headerProperties));
+        } catch (JsonProcessingException e) {
+            log.error("Cannot serialize headers", e);
+        }
+        replacements.put("subscriptionClientTimeout", String.valueOf(graphiQLProperties.getSubscriptions().getTimeout() * 1000));
+        replacements.put("subscriptionClientReconnect", String.valueOf(graphiQLProperties.getSubscriptions().isReconnect()));
         replacements.put("editorThemeCss", getEditorThemeCssURL());
         return replacements;
     }
@@ -161,7 +151,7 @@ private String getEditorThemeCssURL() {
     }
 
     private String getResourceUrl(String staticBasePath, String staticFileName, String cdnUrl) {
-        if (graphiqlCdnEnabled && StringUtils.isNotBlank(cdnUrl)) {
+        if (graphiQLProperties.getCdn().isEnabled() && StringUtils.isNotBlank(cdnUrl)) {
             return cdnUrl;
         }
         return joinStaticPath(staticBasePath, staticFileName);
@@ -180,7 +170,7 @@ private String joinJsDelivrPath(String library, String cdnVersion, String cdnFil
     }
 
     private String constructGraphQlEndpoint(HttpServletRequest request, @RequestParam Map<String, String> params) {
-        String endpoint = graphqlEndpoint;
+        String endpoint = graphiQLProperties.getEndpoint().getGraphql();
         for (Map.Entry<String, String> param : params.entrySet()) {
             endpoint = endpoint.replaceAll("\\{" + param.getKey() + "}", param.getValue());
         }
diff --git a/graphiql-spring-boot-autoconfigure/src/main/java/com/oembedler/moon/graphiql/boot/GraphiQLProperties.java b/graphiql-spring-boot-autoconfigure/src/main/java/com/oembedler/moon/graphiql/boot/GraphiQLProperties.java
@@ -2,13 +2,32 @@
 
 import lombok.Data;
 import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.context.properties.ConfigurationPropertiesBinding;
+import org.springframework.boot.context.properties.NestedConfigurationProperty;
 
 @Data
 @ConfigurationProperties("graphiql")
 class GraphiQLProperties {
 
+    private Endpoint endpoint = new Endpoint();
+    private Static STATIC = new Static();
     private CodeMirror codeMirror = new CodeMirror();
     private Props props = new Props();
+    private String pageTitle = "GraphiQL";
+    private String mapping = "/graphiql";
+    private Subscriptions subscriptions = new Subscriptions();
+    private Cdn cdn = new Cdn();
+
+    @Data
+    static class Endpoint {
+        private String graphql = "/graphql";
+        private String subscriptions = "/subscriptions";
+    }
+
+    @Data
+    static class Static {
+        private String basePath = "/";
+    }
 
     @Data
     static class CodeMirror {
@@ -25,4 +44,16 @@ static class Variables {
             private String editorTheme;
         }
     }
+
+    @Data
+    static class Cdn {
+        private boolean enabled = false;
+        private String version = "0.13.0";
+    }
+
+    @Data
+    static class Subscriptions {
+        private int timeout = 30;
+        private boolean reconnect = false;
+    }
 }
diff --git a/graphiql-spring-boot-autoconfigure/src/main/resources/graphiql.html b/graphiql-spring-boot-autoconfigure/src/main/resources/graphiql.html
@@ -157,7 +157,7 @@
     // Render <GraphiQL /> into the body.
     ReactDOM.render(
         React.createElement(GraphiQL, props),
-        document.getElementById("splash")
+        document.body
     );
 
 </script>
