gitlab-org--gitlab-foss/changelogs/unreleased/bvl-graphql-csrf.yml
Bob Van Landuyt b623932eb3 Allow GraphQL requests without CSRF token
With this we allow authentication using a session or using personal
access token.

Authentication using a session, and CSRF token makes it easy to play
with GraphQL from the Graphiql endpoint we expose.

But we cannot enforce CSRF validity, otherwise authentication for
regular API clients would fail when they use personal access tokens to
authenticate.
2019-03-06 15:38:00 +01:00

5 lines
94 B
YAML

---
title: Allow GraphQL requests without CSRF token
merge_request: 25719
author:
type: fixed