Uploaded image for project: 'Magnolia GraphQL'
  1. Magnolia GraphQL
  2. MGNLGQL-101

GraphQL POST requests fail due to CSRF security

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 1.0.1
    • None

    Description

      POST requests to GraphQL endpoint get 403 security issues.
      The message in 403 says:
      <p><b>Message</b> CSRF token mismatch possibly caused by expired session. Please re-open the page and submit the
      form again.</p>
       
      Input from Bartosz:
      I spun up fresh 6.2.10 with magnolia-dx-core-demo-webapp
      In security app I opened for GET & POST {{/.graphql*}}When using postman with get and calling:http://localhost:8080/magnoliaAuthor/.graphql?query=%7Btours%7Bname%7D%7D
      I get correct response.When trying with POST with both Content-Types followed from here: https://docs.magnolia-cms.com/product-docs/6.2/Developing/API/GraphQL-API.html#_post_method
      I get 403 both times.

      Notes
      It appears that this is related to 6.2.10 introduced additional CSRF security measures.
      https://jira.magnolia-cms.com/browse/MAGNOLIA-8115

      Workaround - Developer note from Rico:
       I guess you need to add another bypass for CSRF Token filter

      'BypassGraphQL':
      'class': 'info.magnolia.voting.voters.URIStartsWithVoter'
      'pattern': '/.graphql'
      (The above was confirmed to work by Bartosz)
       .....
      fixed the demo until 6.2.11, then either core adds this additional bypass (as it does for /.rest and /.magnolia/activation ) or GraphQL module itself does it.
      Also, I guess we need to mention this issue in 6.2.10 RNs/Known issues section.

      Implications

      One implication is that this breaks the Tour Finder on the demo project and on the hosted demo:

      https://jira.magnolia-cms.com/browse/MGNLDEMO-376

      Fix

      The implemented fix adds a bypass for the CRSF token check by allowing requests to /.graphql without checking the CSRF token.

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                mduerig Michael Duerig
                czimmermann Christopher Zimmermann
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD