Details
-
Bug
-
Resolution: Fixed
-
Critical
-
None
Description
POST requests to GraphQL endpoint get 403 security issues.
The message in 403 says:
<p><b>Message</b> CSRF token mismatch possibly caused by expired session. Please re-open the page and submit the
form again.</p>
Input from Bartosz:
I spun up fresh 6.2.10 with magnolia-dx-core-demo-webapp
In security app I opened for GET & POST {{/.graphql*}}When using postman with get and calling:http://localhost:8080/magnoliaAuthor/.graphql?query=%7Btours%7Bname%7D%7D
I get correct response.When trying with POST with both Content-Types followed from here: https://docs.magnolia-cms.com/product-docs/6.2/Developing/API/GraphQL-API.html#_post_method
I get 403 both times.
Notes
It appears that this is related to 6.2.10 introduced additional CSRF security measures.
https://jira.magnolia-cms.com/browse/MAGNOLIA-8115
Workaround - Developer note from Rico:
I guess you need to add another bypass for CSRF Token filter
'BypassGraphQL':
'class': 'info.magnolia.voting.voters.URIStartsWithVoter'
'pattern': '/.graphql'
(The above was confirmed to work by Bartosz)
.....
I fixed the demo until 6.2.11, then either core adds this additional bypass (as it does for /.rest and /.magnolia/activation ) or GraphQL module itself does it.
Also, I guess we need to mention this issue in 6.2.10 RNs/Known issues section.
Implications
One implication is that this breaks the Tour Finder on the demo project and on the hosted demo:
https://jira.magnolia-cms.com/browse/MGNLDEMO-376
Fix
The implemented fix adds a bypass for the CRSF token check by allowing requests to /.graphql without checking the CSRF token.
Checklists
Attachments
Issue Links
- is depended upon by
-
MGNLDEMO-376 Tour Finder on hosted public demo is broken
-
- Closed
-