From 2ecaee6fe283ad6ca64f24160c603023edfc31f4 Mon Sep 17 00:00:00 2001
From: Paul Chavard <pro@paul.chavard.net>
Date: Thu, 6 Jun 2024 16:28:35 +0200
Subject: [PATCH] fix(graphql): use null_session forgery protection on graphql
 controller to allow open data requests

---
 app/controllers/api/v2/base_controller.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/app/controllers/api/v2/base_controller.rb b/app/controllers/api/v2/base_controller.rb
index 3c7d44e09..f247e2a12 100644
--- a/app/controllers/api/v2/base_controller.rb
+++ b/app/controllers/api/v2/base_controller.rb
@@ -1,5 +1,11 @@
 class API::V2::BaseController < ApplicationController
-  skip_forgery_protection if: -> { request.headers.key?('HTTP_AUTHORIZATION') }
+  # This controller is used for API v2 through api endpoint (/api/v2/graphql)
+  # and through the web interface (/graphql). When used through the web interface,
+  # we use connected administrateur to authenticate the request. We want CSRF protection
+  # for the web interface, but not for the API endpoint. :null_session means that when the
+  # request is not CSRF protected, we will not raise an exception,
+  # but we will provide the controller with an empty session.
+  protect_from_forgery with: :null_session
   skip_before_action :setup_tracking
   before_action :authenticate_from_token
   before_action :ensure_authorized_network, if: -> { @api_token.present? }