Skip CSRF check for query-only GraphQL requests
What does this MR do and why?
When a GraphQL request only contains queries, it can be requested using GET which skips CSRF checks.
We can skip the same checks even if they are requested with a POST since these should not mutate any data.
This is a follow-up to !175955 (merged). That MR prevents CSRF mismatches from logging out the user, but the mismatches still happen and the user will see alerts about failures loading data within the page.
This MR prevents most of them, since most if not all of these GraphQL requests that are triggered on page load are read-only queries.
References
Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.
- Related to #379326
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Merge request reports
Activity
changed milestone to %17.8
assigned to @engwan
added pipelinetier-1 label
- A deleted user
added backend label
1 Message 
CHANGELOG missing: If this merge request needs a changelog entry, add the
Changelogtrailer to the commit message you want to add to the changelog.If this merge request doesn't need a CHANGELOG entry, feel free to ignore this message.
Reviewer roulette
Category Reviewer Maintainer backend @charlieeekroon(UTC+1, same timezone as author)
@sgarg_gitlab(UTC+5.5, 4.5 hours ahead of author)
Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.
If needed, you can retry the
danger-reviewjob that generated this comment.Generated by
removed workflowin dev label
-
@atevans @grzesiek what do you think of this change?
I think to fully solve the CSRF problem, we'd have to store the token outside the session as described in https://github.com/demarches-simplifiees/demarches-simplifiees.fr/blob/5b4f7f9ae9eaf0ac94008b62f7047e4714626cf9/doc/adr-csrf-forgery.md#using-a-long-lived-cookie-for-csrf-tokens. This is a much bigger change that also requires Rails 7.1 which we're still in the process of upgrading to.
So to mitigate most of the problems, I think we can do this change where we skip CSRF check for query-only requests. This should allow pages restored from cache to load properly. Though the user would still encounter an error when they try to submit a comment or any other mutation. They would still need to refresh for that.
added pipeline:mr-approved label
added pipelinetier-3 pipeline:run-e2e-omnibus-once labels and removed pipelinetier-1 label
Before you set this MR to auto-merge
This merge request will progress on pipeline tiers until it reaches the last tier: pipelinetier-3. We will trigger a new pipeline for each transition to a higher tier.
Before you set this MR to auto-merge, please check the following:
- You are the last maintainer of this merge request
- The latest pipeline for this merge request is pipelinetier-3 (You can find which tier it is in the pipeline name)
- This pipeline is recent enough (created in the last 8 hours)
If all the criteria above apply, please set auto-merge for this merge request.
See pipeline tiers and merging a merge request for more details.
Resolved by Heinrich Lee YuI was able to reproduce the functionality locally. Approved!
Agree that moving to cookie-based storage for CSRF tokens would be a big change. There may be alternate solutions we can try - maybe frontend can check for the newest CSRF token on page restoration before launching any further requests? Could be hard to implement. It's probably worth discussing further.
- Last reply by Heinrich Lee Yu
E2E Test Result Summary
allure-report-publishergenerated test report!e2e-test-on-cng:
expand test summary
+------------------------------------------------------------------+ | suites summary | +-------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +-------------+--------+--------+---------+-------+-------+--------+ | Verify | 51 | 0 | 15 | 0 | 66 | ✅ | | Create | 140 | 0 | 19 | 1 | 159 | ✅ | | Govern | 84 | 0 | 10 | 0 | 94 | ✅ | | Monitor | 8 | 0 | 12 | 0 | 20 | ✅ | | Package | 30 | 0 | 14 | 0 | 44 | ✅ | | Plan | 86 | 0 | 8 | 0 | 94 | ✅ | | Secure | 2 | 0 | 5 | 0 | 7 | ✅ | | Data Stores | 33 | 0 | 10 | 0 | 43 | ✅ | | Analytics | 2 | 0 | 0 | 0 | 2 | ✅ | | Fulfillment | 2 | 0 | 7 | 0 | 9 | ✅ | | Growth | 0 | 0 | 2 | 0 | 2 | ➖ | | Manage | 1 | 0 | 9 | 0 | 10 | ✅ | | Release | 5 | 0 | 1 | 0 | 6 | ✅ | | Ai-powered | 0 | 0 | 2 | 0 | 2 | ➖ | | ModelOps | 0 | 0 | 1 | 0 | 1 | ➖ | | Configure | 0 | 0 | 3 | 0 | 3 | ➖ | +-------------+--------+--------+---------+-------+-------+--------+ | Total | 444 | 0 | 118 | 1 | 562 | ✅ | +-------------+--------+--------+---------+-------+-------+--------+e2e-test-on-gdk:
expand test summary
+------------------------------------------------------------------+ | suites summary | +-------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +-------------+--------+--------+---------+-------+-------+--------+ | Create | 135 | 0 | 20 | 0 | 155 | ✅ | | Govern | 80 | 0 | 12 | 0 | 92 | ✅ | | Data Stores | 33 | 0 | 10 | 0 | 43 | ✅ | | Verify | 50 | 0 | 16 | 0 | 66 | ✅ | | Package | 25 | 0 | 13 | 0 | 38 | ✅ | | Growth | 0 | 0 | 2 | 0 | 2 | ➖ | | Manage | 1 | 0 | 9 | 0 | 10 | ✅ | | Ai-powered | 0 | 0 | 2 | 0 | 2 | ➖ | | Secure | 4 | 0 | 3 | 0 | 7 | ✅ | | Monitor | 8 | 0 | 12 | 0 | 20 | ✅ | | Plan | 82 | 0 | 8 | 0 | 90 | ✅ | | Configure | 0 | 0 | 3 | 0 | 3 | ➖ | | Fulfillment | 2 | 0 | 7 | 0 | 9 | ✅ | | Release | 5 | 0 | 1 | 0 | 6 | ✅ | | ModelOps | 0 | 0 | 1 | 0 | 1 | ➖ | | Analytics | 2 | 0 | 0 | 0 | 2 | ✅ | +-------------+--------+--------+---------+-------+-------+--------+ | Total | 427 | 0 | 119 | 0 | 546 | ✅ | +-------------+--------+--------+---------+-------+-------+--------+
requested review from @grzesiek
added 1 commit
- f6b56b32 - Skip CSRF check for query-only GraphQL requests
reset approvals from @atevans by pushing to the branch
requested review from @grzesiek
mentioned in issue #414501
started a merge train
mentioned in commit be0b27ca
added workflowstaging-canary label
added workflowcanary label and removed workflowstaging-canary label
added workflowproduction label and removed workflowcanary label
added workflowstaging label and removed workflowproduction label
added workflowpost-deploy-db-staging label and removed workflowstaging label
added workflowpost-deploy-db-production label and removed workflowpost-deploy-db-staging label
added releasedcandidate label
added releasedpublished label and removed releasedcandidate label
