feat(#212): CSRF headers are now automatically added (cf. #253)

BlasiusSecundus · BlasiusSecundus · commit f103b4e65a43 · 2019-06-02T20:29:33.000+02:00
diff --git a/playground-spring-boot-autoconfigure/src/main/java/com/oembedler/moon/playground/boot/PlaygroundController.java b/playground-spring-boot-autoconfigure/src/main/java/com/oembedler/moon/playground/boot/PlaygroundController.java
@@ -6,6 +6,8 @@
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
 
+import javax.servlet.http.HttpServletRequest;
+
 @Controller
 @RequiredArgsConstructor
 public class PlaygroundController {
@@ -31,14 +33,15 @@ public class PlaygroundController {
     private final ObjectMapper objectMapper;
 
     @GetMapping("${graphql.playground.mapping:/playground}")
-    public String playground(final Model model) {
+    public String playground(final Model model, final HttpServletRequest request) {
         if (propertiesConfiguration.getPlayground().getCdn().isEnabled()) {
             setCdnUrls(model);
         } else {
             setLocalAssetUrls(model);
         }
         model.addAttribute("pageTitle", propertiesConfiguration.getPlayground().getPageTitle());
         model.addAttribute("properties", objectMapper.valueToTree(propertiesConfiguration.getPlayground()));
+        model.addAttribute("_csrf", request.getAttribute("_csrf"));
         return "playground";
     }
 
diff --git a/playground-spring-boot-autoconfigure/src/main/java/com/oembedler/moon/playground/boot/properties/PlaygroundProperties.java b/playground-spring-boot-autoconfigure/src/main/java/com/oembedler/moon/playground/boot/properties/PlaygroundProperties.java
@@ -9,7 +9,7 @@
 import java.util.List;
 
 @Data
-@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonInclude(JsonInclude.Include.NON_EMPTY)
 public class PlaygroundProperties {
 
     @NotEmpty
diff --git a/playground-spring-boot-autoconfigure/src/main/resources/templates/playground.html b/playground-spring-boot-autoconfigure/src/main/resources/templates/playground.html
@@ -19,7 +19,21 @@
 </div>
 
 <script th:inline="javascript">
+    function addCsrfHeaderTo(properties, csrf) {
+        if (!properties.headers) {
+            properties.headers = {};
+        }
+        properties.headers[csrf.headerName] = csrf.token;
+    }
+
+    let csrf = /*[[${_csrf}]]*/ null;
     let properties = /*[[${properties}]]*/ {};
+    if (csrf) {
+        addCsrfHeaderTo(properties, csrf);
+        if (properties.tabs) {
+            properties.tabs.forEach(tab => addCsrfHeaderTo(tab, csrf));
+        }
+    }
     properties.setTitle = false;
     window.addEventListener('load', function (event) {
       GraphQLPlayground.init(document.getElementById('root'), properties)
