New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Spring Security (needs CSRF Token for graphiql) #4
Comments
We were gonna do proper spring security integration now that SPQR 0.9.8 is out. The idea is to first release 0.0.2 that would just support basic functionality that's present now. And after that move on to more advanced use cases. |
@BaldyLocks, I'm using I know there is a way to enable spring security annotations with I'm guessing I will have to ditch the spring boot starter and use plain |
Well you shouldn't have problems of that kind, the improvements we were going to do are regarding filtering the schema as well, the query execution should be working with method level security. |
I made a minimum working example. I hope it's minimum enough. :) You will only have to do
Also, I've written a controller that binds to the URL The |
@BaldyLocks, is there a workaround for this? Could I maybe check for every request and if they match one from a defined list, I ask for authentication? |
@hamidsafdari sorry for not answering for so long, life decided to get complicated lately. You could do that, however you shouldn't have to, let me first check your example this evening and see what's the problem. |
So, it looks like there was something wrong with my setup. I can't replicate my first problem. Now if I log in, I do get the correct user and authorities using graphql. The second problem still stands though. If I annotate my graphql query with an annotation like I've also whipped up another (not so much) minimal example with a home page, a login and logout link. It also shows the name of the current user. Just saving the time running a cURL request in the console. |
@hamidsafdari Yes we see the problem, spqr gets a dynamic proxy generated by Spring and doesn't know how to handle it. The immediate workaround would be to create a custom resolver builder that would use Spring utils to unwrap the proxy. We'll try to implement it over the weekend in the starter so you don't have to do it yourself. |
That would be awesome. I'm working on this other project that has around 20 or so entity objects. Adding all the services to the resolver doesn't seem like a good way to go. |
I've pushed a fix for #12 which, if I understand the conversation right, should close this issue as well. |
#12 fixed the issue, so this can be closed. |
When adding
spring-boot-starter-security
you have to disable CSRF protection, because the graphiql user interface doesn't send csrf token when doing requests toPOST /graphql
.Don't know if that's possible at all. Else just close this issue.
The text was updated successfully, but these errors were encountered: