CSRF/XSRF for GraphiQL

[la289]

SpringSecurity is making it difficult to work with GraphiQL due to CSRF validation. Has adding a CSRF attribute been considered?

Is there any other good way to deal with this?

[paulbakker]

What's the problem you're seeing? I don't think we're aware of the issue.

[la289]

Sorry for the delayed response:

While using the DGS framework, I have the GraphIQL playground enabled. However, unless I disable the CSRF validation in SpringSecurity, all requests return 404 since I think the CSRF token is not sent in the GraphQL requests.

This is the response I see in the playground when loading the playground as well as when running any query.

{
  "timestamp": "2021-09-13T20:53:24.659+00:00",
  "status": 404,
  "error": "Not Found",
  "path": "/graphql"
}

The XSRF-Token cookie exists and is viewable from the network tab.

I'm using version 2.5.2 of spring boot in a Kotlin application