Allow GraphQL requests without CSRF token

Review changes
Download
Patches
Plain diff

Bob Van Landuyt requested to merge reprazent/gitlab-ce:bvl-graphql-csrf into master Mar 03, 2019

Overview 16
Commits 2
Pipelines 6
Changes 5

What does this MR do?

With this we allow authentication using a session or using personal access token.

Authentication using a session, and CSRF token makes it easy to play with GraphQL from the Graphiql endpoint we expose.

But we cannot enforce CSRF validity, otherwise authentication for regular API clients would fail when they use personal access tokens to authenticate.

What are the relevant issue numbers?

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/57237

Does this MR meet the acceptance criteria?

Changelog entry added, if necessary
Documentation created/updated via this MR
Documentation reviewed by technical writer or follow-up review issue created
Tests added for this feature/bug
Tested in all supported browsers
Conforms to the code review guidelines
Conforms to the merge request performance guidelines
Conforms to the style guides
Conforms to the database guides
Link to e2e tests MR added if this MR has Requires e2e tests label. See the Test Planning Process.
Security reports checked/validated by reviewer

Edited Mar 03, 2019 by Bob Van Landuyt

Merge request reports

Assignee

Reviewers

Request review from

Time tracking