First, thank you for the hard work to make such a great library :kudos
So I see from the example and found that mutation can be requested using GET method:
https://github.com/graphql-go/graphql/blob/f02a1c961028d3ba7ac6bb22eaa09b31a2cb53dd/examples/crud/main.go#L136-L139
and look like that is by design. See line 68 below tries to get the query from query string. And I can't find a way to disable the GET method.
|
func NewRequestOptions(r *http.Request) *RequestOptions { |
|
if reqOpt := getFromForm(r.URL.Query()); reqOpt != nil { |
|
return reqOpt |
|
} |
|
|
|
if r.Method != http.MethodPost { |
|
return &RequestOptions{} |
|
} |
|
|
|
if r.Body == nil { |
|
return &RequestOptions{} |
|
} |
Because I am concerned that this is open for CSRF attack when you use Cookie authentication. Or am I missing something?
FYI: Apollo itself doesn't allow mutation request via GET method.
First, thank you for the hard work to make such a great library :kudos
So I see from the example and found that mutation can be requested using
GETmethod:https://github.com/graphql-go/graphql/blob/f02a1c961028d3ba7ac6bb22eaa09b31a2cb53dd/examples/crud/main.go#L136-L139
and look like that is by design. See line 68 below tries to get the query from query string. And I can't find a way to disable the
GETmethod.handler/handler.go
Lines 67 to 78 in f96ffdd
Because I am concerned that this is open for CSRF attack when you use Cookie authentication. Or am I missing something?
FYI: Apollo itself doesn't allow mutation request via GET method.