[MGNLGQL-101] GraphQL POST requests fail due to CSRF security Created: 06/Jul/21  Updated: 18/Oct/21  Resolved: 13/Jul/21

Status: Closed
Project: Magnolia GraphQL
Component/s: None
Affects Version/s: None
Fix Version/s: 1.0.1

Type: Bug Priority: Critical
Reporter: Christopher Zimmermann Assignee: Michael Duerig
Resolution: Fixed Votes: 0
Labels: csrf
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Problem/Incident
dependency
is depended upon by MGNLDEMO-376 Tour Finder on hosted public demo is ... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[X]* Steps to reproduce, expected, and actual results filled
[X]* Affected version filled
Date of First Response:

 Description   

POST requests to GraphQL endpoint get 403 security issues.
The message in 403 says:
<p><b>Message</b> CSRF token mismatch possibly caused by expired session. Please re-open the page and submit the
form again.</p>
 
Input from Bartosz:
I spun up fresh 6.2.10 with magnolia-dx-core-demo-webapp
In security app I opened for GET & POST {{/.graphql*}}When using postman with get and calling:http://localhost:8080/magnoliaAuthor/.graphql?query=%7Btours%7Bname%7D%7D
I get correct response.When trying with POST with both Content-Types followed from here: https://docs.magnolia-cms.com/product-docs/6.2/Developing/API/GraphQL-API.html#_post_method
I get 403 both times.

Notes
It appears that this is related to 6.2.10 introduced additional CSRF security measures.
https://jira.magnolia-cms.com/browse/MAGNOLIA-8115

Workaround - Developer note from Rico:
 I guess you need to add another bypass for CSRF Token filter

'BypassGraphQL':
'class': 'info.magnolia.voting.voters.URIStartsWithVoter'
'pattern': '/.graphql'
(The above was confirmed to work by Bartosz)
 .....
fixed the demo until 6.2.11, then either core adds this additional bypass (as it does for /.rest and /.magnolia/activation ) or GraphQL module itself does it.
Also, I guess we need to mention this issue in 6.2.10 RNs/Known issues section.

Implications

One implication is that this breaks the Tour Finder on the demo project and on the hosted demo:

https://jira.magnolia-cms.com/browse/MGNLDEMO-376

Fix

The implemented fix adds a bypass for the CRSF token check by allowing requests to /.graphql without checking the CSRF token.



 Comments   
Comment by Michael Duerig [ 13/Jul/21 ]

For RN: Allow GraphQL to bypass the CRSF token check

Generated at Mon Feb 12 05:52:36 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.