I've got a Spring Boot App that gains GraphQL by way of org.springframework.experimental/graphql-spring-boot-starter. That starter, somehow, gives me the GraphiQL UI to run ad-hoc queries through. As I tried to integrate Spring Security into my Application all of my POST /graphql calls began to see 403 at the browser.
Looking at the Chrome console, I can see the root cause. Our auth rides on a cookie bound to the domain. The GraphiQL client is failing to send the cookie, so Spring Security can't find anything to authenticate. When I copy the request as curl, I can see it is missing the Cookie header...
$ curl 'http://localhost.example.com:8080/graphql' \
> -H 'Connection: keep-alive' \
> -H 'Accept: application/json' \
> -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36' \
> -H 'Content-Type: application/json' \
> -H 'Origin: http://localhost.blueorigin.com:8080' \
> -H 'Referer: http://localhost.blueorigin.com:8080/?path=/graphql' \
> -H 'Accept-Language: en-US,en;q=0.9' \
> --data-raw '{"query":"query now {\n now\n}","variables":null,"operationName":"now"}' \
> --compressed \
> --insecure
{"timestamp":"2021-10-13T19:18:37.223+00:00","status":403,"error":"Forbidden","message":"Access Denied","path":"/graphql"}
If I give curl the Cookie the server needs...all is well.
How do I get GraphiQL to send cookies for a Spring Boot Application?
