GraphiQL starter is not compatible with Spring security #253

jonrimmer · 2019-06-01T17:32:04Z

Spring Security enables CSRF protection by default and thus requires the CSRF token header on POST requests to the /graphql endpoint. If Spring Security is loaded and CSRF protection is not disabled, the /graphiql endpoint will get a 403 error when it tries to access the /graphql endpoint.

GraphiQLController should check the _csrf attribute in the request and, if it exists, use the header name and the token it contains to add a header to the headers collection used by the fetcher function supplied to GraphiQL.

The text was updated successfully, but these errors were encountered:

…added (cf. graphql-java-kickstart#253)

oliemansm · 2019-06-20T06:20:26Z

Thanks for reporting it, fixed this in 5.9.1

BlasiusSecundus added a commit to BlasiusSecundus/graphql-spring-boot that referenced this issue Jun 2, 2019

feat(graphql-java-kickstart#212): CSRF headers are now automatically …

f103b4e

…added (cf. graphql-java-kickstart#253)

oliemansm added the bug label Jun 19, 2019

oliemansm added this to the 5.9.1 milestone Jun 20, 2019

oliemansm closed this as completed in 5500517 Jun 20, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

GraphiQL starter is not compatible with Spring security #253

GraphiQL starter is not compatible with Spring security #253

jonrimmer commented Jun 1, 2019

oliemansm commented Jun 20, 2019

Uh oh!

GraphiQL starter is not compatible with Spring security #253

GraphiQL starter is not compatible with Spring security #253

Comments

jonrimmer commented Jun 1, 2019

oliemansm commented Jun 20, 2019

Uh oh!