fix(#487): csrf is now supported with Playground on Webflux

BlasiusSecundus · BlasiusSecundus · commit 6be4a0786321 · 2021-01-25T20:39:59.000+01:00
diff --git a/playground-spring-boot-autoconfigure/build.gradle b/playground-spring-boot-autoconfigure/build.gradle
@@ -22,13 +22,15 @@ dependencies{
     implementation "org.springframework.boot:spring-boot-autoconfigure"
     compileOnly "org.springframework.boot:spring-boot-starter-web"
     compileOnly "org.springframework.boot:spring-boot-starter-webflux"
+    compileOnly "org.springframework.boot:spring-boot-starter-security"
     implementation "org.springframework.boot:spring-boot-starter-thymeleaf"
     implementation "org.springframework.boot:spring-boot-starter-validation"
 
     testImplementation "org.springframework.boot:spring-boot-starter-web"
     testImplementation "org.springframework.boot:spring-boot-starter-webflux"
     testImplementation "org.springframework.boot:spring-boot-starter-test"
     testImplementation "org.springframework.boot:spring-boot-starter-security"
+    testImplementation "org.springframework.security:spring-security-test"
     testImplementation "org.jsoup:jsoup:$LIB_JSOUP_VER"
 }
 
diff --git a/playground-spring-boot-autoconfigure/src/main/java/graphql/kickstart/playground/boot/PlaygroundController.java b/playground-spring-boot-autoconfigure/src/main/java/graphql/kickstart/playground/boot/PlaygroundController.java
@@ -9,6 +9,8 @@
 
 import java.nio.file.Paths;
 
+import static java.util.Objects.nonNull;
+
 @Controller
 @RequiredArgsConstructor
 public class PlaygroundController {
@@ -38,7 +40,9 @@ public String playground(final Model model, final @RequestAttribute(value = _CSR
         }
         model.addAttribute("pageTitle", propertiesConfiguration.getPlayground().getPageTitle());
         model.addAttribute("properties", objectMapper.valueToTree(propertiesConfiguration.getPlayground()));
-        model.addAttribute(_CSRF, csrf);
+        if (nonNull(csrf)) {
+            model.addAttribute(_CSRF, csrf);
+        }
         return "playground";
     }
 
diff --git a/playground-spring-boot-autoconfigure/src/main/java/graphql/kickstart/playground/boot/PlaygroundWebFluxAutoConfiguration.java b/playground-spring-boot-autoconfigure/src/main/java/graphql/kickstart/playground/boot/PlaygroundWebFluxAutoConfiguration.java
@@ -1,11 +1,15 @@
 package graphql.kickstart.playground.boot;
 
 import lombok.RequiredArgsConstructor;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.boot.autoconfigure.web.reactive.WebFluxAutoConfiguration;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.web.reactive.config.ViewResolverRegistry;
 import org.springframework.web.reactive.config.WebFluxConfigurer;
@@ -20,6 +24,7 @@
 import java.nio.charset.StandardCharsets;
 
 @Configuration
+@Import(PlaygroundWebFluxControllerAdvice.class)
 @ConditionalOnClass(WebFluxConfigurer.class)
 @ConditionalOnProperty(value = "graphql.playground.enabled", havingValue = "true", matchIfMissing = true)
 @RequiredArgsConstructor
diff --git a/playground-spring-boot-autoconfigure/src/main/java/graphql/kickstart/playground/boot/PlaygroundWebFluxControllerAdvice.java b/playground-spring-boot-autoconfigure/src/main/java/graphql/kickstart/playground/boot/PlaygroundWebFluxControllerAdvice.java
@@ -0,0 +1,23 @@
+package graphql.kickstart.playground.boot;
+
+import lombok.NoArgsConstructor;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.security.web.reactive.result.view.CsrfRequestDataValueProcessor;
+import org.springframework.security.web.server.csrf.CsrfToken;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.ModelAttribute;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+@NoArgsConstructor
+@ControllerAdvice
+@ConditionalOnClass({ CsrfToken.class, CsrfRequestDataValueProcessor.class })
+@ConditionalOnBean(CsrfRequestDataValueProcessor.class)
+public class PlaygroundWebFluxControllerAdvice {
+
+    @ModelAttribute(CsrfRequestDataValueProcessor.DEFAULT_CSRF_ATTR_NAME)
+    public Mono<CsrfToken> getCsrfToken(final ServerWebExchange exchange) {
+        return exchange.getAttributeOrDefault(CsrfToken.class.getName(), Mono.empty());
+    }
+}
diff --git a/playground-spring-boot-autoconfigure/src/test/java/graphql/kickstart/playground/boot/PlaygroundTestConfig.java b/playground-spring-boot-autoconfigure/src/test/java/graphql/kickstart/playground/boot/PlaygroundTestConfig.java
@@ -3,12 +3,13 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.thymeleaf.ThymeleafAutoConfiguration;
+import org.springframework.boot.autoconfigure.web.reactive.WebFluxAutoConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.test.context.ContextConfiguration;
 
-@EnableAutoConfiguration
+@EnableAutoConfiguration(exclude = WebFluxAutoConfiguration.class)
 @EnableWebSecurity
 @ContextConfiguration(classes = {PlaygroundAutoConfiguration.class, ObjectMapper.class,
         ThymeleafAutoConfiguration.class})
diff --git a/playground-spring-boot-autoconfigure/src/test/java/graphql/kickstart/playground/boot/webflux/PlaygroundWebFluxCSRFTest.java b/playground-spring-boot-autoconfigure/src/test/java/graphql/kickstart/playground/boot/webflux/PlaygroundWebFluxCSRFTest.java
@@ -0,0 +1,34 @@
+package graphql.kickstart.playground.boot.webflux;
+
+import graphql.kickstart.playground.boot.PlaygroundTestHelper;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.web.reactive.server.WebTestClient;
+
+import java.nio.charset.StandardCharsets;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+@SpringBootTest(classes = PlaygroundWebFluxTestConfig.class)
+@AutoConfigureWebTestClient
+public class PlaygroundWebFluxCSRFTest {
+
+    @Autowired
+    private WebTestClient webTestClient;
+
+    @Test
+    void shouldLoadCSRFData() {
+        // WHEN
+        final byte[] actual = webTestClient.get().uri(PlaygroundTestHelper.DEFAULT_PLAYGROUND_ENDPOINT)
+            .exchange()
+            .expectStatus().isOk()
+            .expectBody().returnResult().getResponseBody();
+        // THEN
+        assertThat(actual).isNotNull();
+        assertThat(new String(actual, StandardCharsets.UTF_8))
+            .contains("let csrf = {\"token\":")
+            .contains("\"parameterName\":\"_csrf\",\"headerName\":\"X-CSRF-TOKEN\"}");
+    }
+}
