Merge pull request #9 from anibalsolon/bug/csrf_validation

Fetch CSRF cookie to validate w/ Graphene API
graphql-python · Oct 26, 2016 · 8257777 · 8257777
2 parents a2a7f66 + f603852
commit 8257777
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 3 deletions.
diff --git a/gql/transport/http.py b/gql/transport/http.py
@@ -1,5 +1,6 @@
 class HTTPTransport(object):
 
-    def __init__(self, url, headers=None):
+    def __init__(self, url, headers=None, cookies=None):
         self.url = url
         self.headers = headers
+        self.cookies = cookies
diff --git a/gql/transport/requests.py b/gql/transport/requests.py
@@ -31,6 +31,7 @@ def execute(self, document, variable_values=None, timeout=None):
         post_args = {
             'headers': self.headers,
             'auth': self.auth,
+            'cookies': self.cookies,
             'timeout': timeout or self.default_timeout,
             data_key: payload
         }

diff --git a/tests/test_transport.py b/tests/test_transport.py
@@ -1,14 +1,25 @@
 import pytest
+import requests
 
 from gql import Client, gql
 from gql.transport.requests import RequestsHTTPTransport
 
 
 @pytest.fixture
 def client():
+    request = requests.get('http://swapi.graphene-python.org/graphql',
+                           headers={
+                               'Host': 'swapi.graphene-python.org',
+                               'Accept': 'text/html',
+                           })
+    request.raise_for_status()
+    csrf = request.cookies['csrftoken']
+
     return Client(
-      transport=RequestsHTTPTransport(url='http://swapi.graphene-python.org/graphql'),
-      fetch_schema_from_transport=True
+        transport=RequestsHTTPTransport(url='http://swapi.graphene-python.org/graphql',
+                                        cookies={"csrftoken": csrf},
+                                        headers={'x-csrftoken':  csrf}),
+        fetch_schema_from_transport=True
     )