Allow GraphQL requests without CSRF token

With this we allow authentication using a session or using personal
access token.

Authentication using a session, and CSRF token makes it easy to play
with GraphQL from the Graphiql endpoint we expose.

But we cannot enforce CSRF validity, otherwise authentication for
regular API clients would fail when they use personal access tokens to
authenticate.

1 files changed, 0 insertions, 112 deletions

diff --git a/spec/controllers/graphql_controller_spec.rb b/spec/controllers/graphql_controller_spec.rb
deleted file mode 100644
index a0f40874db1..00000000000
--- a/spec/controllers/graphql_controller_spec.rb
+++ /dev/null
@@ -1,112 +0,0 @@
-require 'spec_helper'
-
-describe GraphqlController do
-  describe 'execute' do
-    let(:user) { nil }
-
-    before do
-      sign_in(user) if user
-
-      run_test_query!
-    end
-
-    subject { query_response }
-
-    context 'graphql is disabled by feature flag' do
-      let(:user) { nil }
-
-      before do
-        stub_feature_flags(graphql: false)
-      end
-
-      it 'returns 404' do
-        run_test_query!
-
-        expect(response).to have_gitlab_http_status(404)
-      end
-    end
-
-    context 'signed out' do
-      let(:user) { nil }
-
-      it 'runs the query with current_user: nil' do
-        is_expected.to eq('echo' => 'nil says: test success')
-      end
-    end
-
-    context 'signed in' do
-      let(:user) { create(:user, username: 'Simon') }
-
-      it 'runs the query with current_user set' do
-        is_expected.to eq('echo' => '"Simon" says: test success')
-      end
-    end
-
-    context 'invalid variables' do
-      it 'returns an error' do
-        run_test_query!(variables: "This is not JSON")
-
-        expect(response).to have_gitlab_http_status(422)
-        expect(json_response['errors'].first['message']).not_to be_nil
-      end
-    end
-  end
-
-  context 'token authentication' do
-    before do
-      stub_authentication_activity_metrics(debug: false)
-    end
-
-    let(:user) { create(:user, username: 'Simon') }
-    let(:personal_access_token) { create(:personal_access_token, user: user) }
-
-    context "when the 'personal_access_token' param is populated with the personal access token" do
-      it 'logs the user in' do
-        expect(authentication_metrics)
-          .to increment(:user_authenticated_counter)
-                .and increment(:user_session_override_counter)
-                       .and increment(:user_sessionless_authentication_counter)
-
-        run_test_query!(private_token: personal_access_token.token)
-
-        expect(response).to have_gitlab_http_status(200)
-        expect(query_response).to eq('echo' => '"Simon" says: test success')
-      end
-    end
-
-    context 'when the personal access token has no api scope' do
-      it 'does not log the user in' do
-        personal_access_token.update(scopes: [:read_user])
-
-        run_test_query!(private_token: personal_access_token.token)
-
-        expect(response).to have_gitlab_http_status(200)
-
-        expect(query_response).to eq('echo' => 'nil says: test success')
-      end
-    end
-
-    context 'without token' do
-      it 'shows public data' do
-        run_test_query!
-
-        expect(query_response).to eq('echo' => 'nil says: test success')
-      end
-    end
-  end
-
-  # Chosen to exercise all the moving parts in GraphqlController#execute
-  def run_test_query!(variables: { 'text' => 'test success' }, private_token: nil)
-    query = <<~QUERY
-      query Echo($text: String) {
-        echo(text: $text)
-      }
-    QUERY
-
-    post :execute, params: { query: query, operationName: 'Echo', variables: variables, private_token: private_token }
-  end
-
-  def query_response
-    json_response['data']
-  end
-end