Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

Commit 0fe225f

Browse files
oliemansmoliemansm
authored
Merge pull request #627 from graphql-java-kickstart/feat/voyager-csrf-header
Feat/voyager csrf header
2 parents 7a217f1 + c91cf9d commit 0fe225f

16 files changed

Lines changed: 252 additions & 95 deletions

File tree

gradle.properties

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -44,5 +44,3 @@ PLUGIN_JACOCO_VER=0.8.7
4444
PLUGIN_SONARQUBE_VER=3.2.0
4545
PLUGIN_NEXUS_STAGING_VER=0.30.0
4646
PLUGIN_GOOGLE_JAVA_FORMAT_VER=0.9
47-
###
48-
org.gradle.daemon=true

graphql-spring-boot-autoconfigure/build.gradle

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ dependencies {
5454
testImplementation "org.springframework.boot:spring-boot-starter-web"
5555
testImplementation "org.springframework.boot:spring-boot-starter-actuator"
5656
testImplementation "org.springframework.boot:spring-boot-starter-webflux"
57-
// testImplementation "org.springframework.boot:spring-boot-starter-security"
57+
testImplementation "org.springframework.boot:spring-boot-starter-security"
5858
testImplementation "org.springframework.security:spring-security-test"
5959
testImplementation "io.projectreactor:reactor-core"
6060
testImplementation "io.reactivex.rxjava2:rxjava"

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/EditorConstants.java

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
package graphql.kickstart.autoconfigure.editor;
2+
3+
import lombok.AccessLevel;
4+
import lombok.NoArgsConstructor;
5+
6+
@NoArgsConstructor(access = AccessLevel.PRIVATE)
7+
public class EditorConstants {
8+
9+
public static final String CSRF_ATTRIBUTE_NAME = "_csrf";
10+
}

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/altair/AltairAutoConfiguration.java

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,10 @@ public class AltairAutoConfiguration {
1717

1818
@Bean
1919
@ConditionalOnProperty(value = "graphql.altair.enabled", havingValue = "true")
20-
AltairController altairController() {
21-
return new AltairController();
20+
AltairController altairController(
21+
AltairProperties altairProperties,
22+
AltairOptions altairOptions,
23+
AltairResources altairResources) {
24+
return new AltairController(altairProperties, altairOptions, altairResources);
2225
}
2326
}

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/altair/AltairController.java

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,12 @@
1313
import java.util.Map;
1414
import javax.annotation.PostConstruct;
1515
import javax.servlet.http.HttpServletResponse;
16+
import lombok.RequiredArgsConstructor;
1617
import lombok.SneakyThrows;
1718
import lombok.extern.slf4j.Slf4j;
1819
import lombok.val;
1920
import org.apache.commons.lang3.StringUtils;
2021
import org.apache.commons.text.StringSubstitutor;
21-
import org.springframework.beans.factory.annotation.Autowired;
2222
import org.springframework.core.io.ClassPathResource;
2323
import org.springframework.stereotype.Controller;
2424
import org.springframework.util.StreamUtils;
@@ -27,14 +27,15 @@
2727
/** @author Moncef AOUDIA */
2828
@Slf4j
2929
@Controller
30+
@RequiredArgsConstructor
3031
public class AltairController {
3132

3233
private static final String CDN_JSDELIVR_NET_NPM = "//cdn.jsdelivr.net/npm/";
3334
private static final String ALTAIR = "altair-static";
3435
private final ObjectMapper objectMapper = new ObjectMapper();
35-
@Autowired private AltairProperties altairProperties;
36-
@Autowired private AltairOptions altairOptions;
37-
@Autowired private AltairResources altairResources;
36+
private final AltairProperties altairProperties;
37+
private final AltairOptions altairOptions;
38+
private final AltairResources altairResources;
3839

3940
private String template;
4041

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/ReactiveVoyagerController.java

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
package graphql.kickstart.autoconfigure.editor.voyager;
22

3+
import static graphql.kickstart.autoconfigure.editor.EditorConstants.CSRF_ATTRIBUTE_NAME;
4+
35
import java.io.IOException;
46
import java.util.Map;
57
import lombok.RequiredArgsConstructor;
@@ -9,6 +11,7 @@
911
import org.springframework.stereotype.Controller;
1012
import org.springframework.web.bind.annotation.GetMapping;
1113
import org.springframework.web.bind.annotation.PathVariable;
14+
import org.springframework.web.bind.annotation.RequestAttribute;
1215

1316
/** @author Max David Günther */
1417
@Controller
@@ -18,10 +21,12 @@ public class ReactiveVoyagerController {
1821
@Autowired private VoyagerIndexHtmlTemplate indexTemplate;
1922

2023
@GetMapping(path = "${graphql.voyager.mapping:/voyager}")
21-
public ResponseEntity<String> voyager(@PathVariable Map<String, String> params)
24+
public ResponseEntity<String> voyager(
25+
final @RequestAttribute(value = CSRF_ATTRIBUTE_NAME, required = false) Object csrf,
26+
@PathVariable Map<String, String> params)
2227
throws IOException {
2328
// no context path in spring-webflux
24-
String indexHtmlContent = indexTemplate.fillIndexTemplate("", params);
29+
String indexHtmlContent = indexTemplate.fillIndexTemplate("", csrf, params);
2530
return ResponseEntity.ok()
2631
.contentType(MediaType.valueOf("text/html; charset=UTF-8"))
2732
.body(indexHtmlContent);

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerAutoConfiguration.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,8 @@
1717
public class VoyagerAutoConfiguration {
1818

1919
@Bean
20-
VoyagerController voyagerController() {
21-
return new VoyagerController();
20+
VoyagerController voyagerController(VoyagerIndexHtmlTemplate voyagerIndexHtmlTemplate) {
21+
return new VoyagerController(voyagerIndexHtmlTemplate);
2222
}
2323

2424
@Bean

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerController.java

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,26 +1,33 @@
11
package graphql.kickstart.autoconfigure.editor.voyager;
22

3+
import static graphql.kickstart.autoconfigure.editor.EditorConstants.CSRF_ATTRIBUTE_NAME;
4+
35
import java.io.IOException;
46
import java.util.Map;
57
import javax.servlet.http.HttpServletRequest;
6-
import org.springframework.beans.factory.annotation.Autowired;
8+
import lombok.RequiredArgsConstructor;
79
import org.springframework.http.MediaType;
810
import org.springframework.http.ResponseEntity;
911
import org.springframework.stereotype.Controller;
1012
import org.springframework.web.bind.annotation.GetMapping;
1113
import org.springframework.web.bind.annotation.PathVariable;
14+
import org.springframework.web.bind.annotation.RequestAttribute;
1215

1316
/** @author Max David Günther */
1417
@Controller
18+
@RequiredArgsConstructor
1519
public class VoyagerController {
1620

17-
@Autowired private VoyagerIndexHtmlTemplate indexTemplate;
21+
private final VoyagerIndexHtmlTemplate indexTemplate;
1822

1923
@GetMapping(value = "${graphql.voyager.mapping:/voyager}")
2024
public ResponseEntity<String> voyager(
21-
HttpServletRequest request, @PathVariable Map<String, String> params) throws IOException {
25+
HttpServletRequest request,
26+
final @RequestAttribute(value = CSRF_ATTRIBUTE_NAME, required = false) Object csrf,
27+
@PathVariable Map<String, String> params)
28+
throws IOException {
2229
String contextPath = request.getContextPath();
23-
String indexHtmlContent = indexTemplate.fillIndexTemplate(contextPath, params);
30+
String indexHtmlContent = indexTemplate.fillIndexTemplate(contextPath, csrf, params);
2431
return ResponseEntity.ok()
2532
.contentType(MediaType.valueOf("text/html; charset=UTF-8"))
2633
.body(indexHtmlContent);

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/editor/voyager/VoyagerIndexHtmlTemplate.java

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
package graphql.kickstart.autoconfigure.editor.voyager;
22

3+
import static graphql.kickstart.autoconfigure.editor.EditorConstants.CSRF_ATTRIBUTE_NAME;
4+
5+
import com.fasterxml.jackson.databind.ObjectMapper;
36
import java.io.IOException;
47
import java.nio.charset.Charset;
58
import java.util.HashMap;
@@ -21,9 +24,10 @@ public class VoyagerIndexHtmlTemplate {
2124
private static final String FAVICON_APIS_GURU =
2225
"//apis.guru/graphql-voyager/icons/favicon-16x16.png";
2326

27+
private final ObjectMapper objectMapper = new ObjectMapper();
2428
private final VoyagerPropertiesConfiguration voyagerConfiguration;
2529

26-
public String fillIndexTemplate(String contextPath, Map<String, String> params)
30+
public String fillIndexTemplate(String contextPath, Object csrf, Map<String, String> params)
2731
throws IOException {
2832
String template =
2933
StreamUtils.copyToString(
@@ -34,6 +38,11 @@ public String fillIndexTemplate(String contextPath, Map<String, String> params)
3438
String voyagerCdnVersion = voyagerConfiguration.getCdn().getVersion();
3539

3640
Map<String, String> replacements = new HashMap<>();
41+
if (csrf != null) {
42+
replacements.put(CSRF_ATTRIBUTE_NAME, objectMapper.writeValueAsString(csrf));
43+
} else {
44+
replacements.put(CSRF_ATTRIBUTE_NAME, "null");
45+
}
3746
replacements.put("graphqlEndpoint", constructGraphQlEndpoint(contextPath, params));
3847
replacements.put("pageTitle", voyagerConfiguration.getPageTitle());
3948
replacements.put("pageFavicon", getResourceUrl(basePath, "favicon.ico", FAVICON_APIS_GURU));

0 commit comments

Comments
 (0)