@graphql-yoga/plugin-csrf-prevention/cjs/index.js

CSRF prevention plugin for GraphQL Yoga that requires the clients to have a specific header set.

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.useCSRFPrevention = void 0;
const graphql_yoga_1 = require("graphql-yoga");
/**
 * If you have CORS enabled, almost all requests coming from the browser will have a
 * preflight request - however, some requests are deemed "simple" and don't make a preflight.
 *
 * One example of such a request is a good ol' GET request without any headers, this request can
 * be marked as "simple" and have preflight CORS checks skipped therefore skipping the CORS check.
 *
 * This attack can be mitigated by saying: "all GET requests must have a custom header set". This
 * would force all clients to manipulate the headers of GET requests, marking them as "_not-_simple"
 * and therefore always executing a preflight request.
 */
function useCSRFPrevention(options = {}) {
    const { requestHeaders = ['x-graphql-yoga-csrf'] } = options;
    return {
        async onRequestParse({ request }) {
            if (!requestHeaders.some((headerName) => request.headers.has(headerName))) {
                throw (0, graphql_yoga_1.createGraphQLError)('Required CSRF header(s) not present', {
                    extensions: {
                        http: {
                            status: 403,
                        },
                    },
                });
            }
        },
    };
}
exports.useCSRFPrevention = useCSRFPrevention;