Merge pull request rmosolgo#2557 from daemonsy/protect_from_forgery

Robert Mosolgo · web-flow · commit b4e7ff373532 · 2019-10-24T09:12:39.000-04:00
Comment out protect from forgery code, let the consumer opt in
diff --git a/lib/generators/graphql/templates/graphql_controller.erb b/lib/generators/graphql/templates/graphql_controller.erb
@@ -2,7 +2,7 @@ class GraphqlController < ApplicationController
   # If accessing from outside this domain, nullify the session
   # This allows for outside API access while preventing CSRF attacks,
   # but you'll have to authenticate your user separately
-  protect_from_forgery with: :null_session
+  # protect_from_forgery with: :null_session
 
   def execute
     variables = ensure_hash(params[:variables])
diff --git a/spec/integration/rails/generators/graphql/install_generator_spec.rb b/spec/integration/rails/generators/graphql/install_generator_spec.rb
@@ -179,7 +179,7 @@ class GraphqlController < ApplicationController
   # If accessing from outside this domain, nullify the session
   # This allows for outside API access while preventing CSRF attacks,
   # but you'll have to authenticate your user separately
-  protect_from_forgery with: :null_session
+  # protect_from_forgery with: :null_session
 
   def execute
     variables = ensure_hash(params[:variables])
