DGNum/demarches-normaliennes
15
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Merge pull request #10496 from tchak/fix-graphql-allow-requests-with-no-token

Browse source 
fix(graphql): use null_session forgery protection on graphql controller to allow open data requests
This commit is contained in:
Colin Darie 2024-06-24 10:11:35 +00:00 committed by GitHub
commit a1edbd08a2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
app/controllers/api/v2/base_controller.rb
View file

@ -1,5 +1,11 @@
class API::V2::BaseController < ApplicationController
skip_forgery_protection if: -> { request.headers.key?('HTTP_AUTHORIZATION') }
# This controller is used for API v2 through api endpoint (/api/v2/graphql)
# and through the web interface (/graphql). When used through the web interface,
# we use connected administrateur to authenticate the request. We want CSRF protection
# for the web interface, but not for the API endpoint. :null_session means that when the
# request is not CSRF protected, we will not raise an exception,
# but we will provide the controller with an empty session.
protect_from_forgery with: :null_session
skip_before_action :setup_tracking
before_action :authenticate_from_token
before_action :ensure_authorized_network, if: -> { @api_token.present? }