diff options
| author | Bob Van Landuyt <bob@vanlanduyt.co> | 2019-03-03 15:53:03 +0300 |
|---|---|---|
| committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2019-03-06 17:38:00 +0300 |
| commit | b623932eb303921a721244c707f145e1baf29da0 (patch) | |
| tree | 462c0cb2fc69c1ba8f81662cdb942a1e55464871 /app/controllers/graphql_controller.rb | |
| parent | ee4ba6ce38cb3edc426a6323e1ef25b5611a4d04 (diff) | |
Allow GraphQL requests without CSRF token
With this we allow authentication using a session or using personal
access token.
Authentication using a session, and CSRF token makes it easy to play
with GraphQL from the Graphiql endpoint we expose.
But we cannot enforce CSRF validity, otherwise authentication for
regular API clients would fail when they use personal access tokens to
authenticate.
Diffstat (limited to 'app/controllers/graphql_controller.rb')
| -rw-r--r-- | app/controllers/graphql_controller.rb | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb index 3ef03bc9622..e147d32be2e 100644 --- a/app/controllers/graphql_controller.rb +++ b/app/controllers/graphql_controller.rb @@ -3,9 +3,16 @@ class GraphqlController < ApplicationController # Unauthenticated users have access to the API for public data skip_before_action :authenticate_user! - prepend_before_action(only: [:execute]) { authenticate_sessionless_user!(:api) } + + # Allow missing CSRF tokens, this would mean that if a CSRF is invalid or missing, + # the user won't be authenticated but can proceed as an anonymous user. + # + # If a CSRF is valid, the user is authenticated. This makes it easier to play + # around in GraphiQL. + protect_from_forgery with: :null_session, only: :execute before_action :check_graphql_feature_flag! + before_action(only: [:execute]) { authenticate_sessionless_user!(:api) } def execute variables = Gitlab::Graphql::Variables.new(params[:variables]).to_h |