graphql-spqr-spring-boot-starter icon indicating copy to clipboard operation
graphql-spqr-spring-boot-starter copied to clipboard

Published 20 hours ago verified publisher icon leangen

CSRF not working?

Open sdwske opened this issue 5 years ago • 1 comments

graphql-spqr-spring-boot-starter:0.0.4 spring-boot-starter-web:2.2.1 spring-boot-starter-security:2.2.1

Doing basically nothing but adding starter-security lands us with 405 at any /graphql request. After investigating issue HttpSecurity#csrf().disable() fixes the problem and querying works but we lose CSRF capability.

I read #4 , it was closed, but the issue persists? Will it be fixed by default in this project?

sdwske avatar Dec 04 '19 15:12 sdwske

The following snippet should let you use CSRF with most SPAs. It's not specific to this project but SPAs and Spring in general. And it's nothing which can be fixed within this project, but your own WebSecurityConfiguration.

http
  // ...
  .csrf()
    .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
    //.and()
  // ...

tommy4st avatar Apr 11 '20 00:04 tommy4st