Uploaded image for project: 'Magnolia GraphQL'
  1. Magnolia GraphQL
  2. MGNLGQL-101

GraphQL POST requests fail due to CSRF security

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • 1.0.1
    • None

      POST requests to GraphQL endpoint get 403 security issues.
      The message in 403 says:
      <p><b>Message</b> CSRF token mismatch possibly caused by expired session. Please re-open the page and submit the
      form again.</p>
       
      Input from Bartosz:
      I spun up fresh 6.2.10 with magnolia-dx-core-demo-webapp
      In security app I opened for GET & POST {{/.graphql*}}When using postman with get and calling:http://localhost:8080/magnoliaAuthor/.graphql?query=%7Btours%7Bname%7D%7D
      I get correct response.When trying with POST with both Content-Types followed from here: https://docs.magnolia-cms.com/product-docs/6.2/Developing/API/GraphQL-API.html#_post_method
      I get 403 both times.

      Notes
      It appears that this is related to 6.2.10 introduced additional CSRF security measures.
      https://jira.magnolia-cms.com/browse/MAGNOLIA-8115

      Workaround - Developer note from Rico:
       I guess you need to add another bypass for CSRF Token filter

      'BypassGraphQL':
      'class': 'info.magnolia.voting.voters.URIStartsWithVoter'
      'pattern': '/.graphql'
      (The above was confirmed to work by Bartosz)
       .....
      fixed the demo until 6.2.11, then either core adds this additional bypass (as it does for /.rest and /.magnolia/activation ) or GraphQL module itself does it.
      Also, I guess we need to mention this issue in 6.2.10 RNs/Known issues section.

      Implications

      One implication is that this breaks the Tour Finder on the demo project and on the hosted demo:

      https://jira.magnolia-cms.com/browse/MGNLDEMO-376

      Fix

      The implemented fix adds a bypass for the CRSF token check by allowing requests to /.graphql without checking the CSRF token.

        Acceptance criteria

              mduerig Michael Duerig
              czimmermann Christopher Zimmermann
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: