DGNum/demarches-normaliennes
15
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

fix(graphql): use null_session forgery protection on graphql controller to allow open data requests

Browse source
This commit is contained in:
Paul Chavard 2024-06-06 16:28:35 +02:00
parent 204953b1ee
commit 2ecaee6fe2
No known key found for this signature in database
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
app/controllers/api/v2/base_controller.rb
View file

@ -1,5 +1,11 @@
class API::V2::BaseController < ApplicationController
skip_forgery_protection if: -> { request.headers.key?('HTTP_AUTHORIZATION') }
# This controller is used for API v2 through api endpoint (/api/v2/graphql)
# and through the web interface (/graphql). When used through the web interface,
# we use connected administrateur to authenticate the request. We want CSRF protection
# for the web interface, but not for the API endpoint. :null_session means that when the
# request is not CSRF protected, we will not raise an exception,
# but we will provide the controller with an empty session.
protect_from_forgery with: :null_session
skip_before_action :setup_tracking
before_action :authenticate_from_token
before_action :ensure_authorized_network, if: -> { @api_token.present? }