GraphQL API CSRF Error #7226
Description
NetBox version
v3.0.1
Python version
3.7
Steps to Reproduce
-
Use Curl to query the GraphQL API.
curl -H "Authorization: Token $TOKEN" -H "Content-Type: application/json" -H "Accept: application/json" http://localhost/graphql/ --data '{"query": "query { site_list(status: "active") { name } }"}' -
Use curl as suggested in the documentation https://netbox.readthedocs.io/en/stable/graphql-api/overview/#queries
curl -H "Authorization: Token $TOKEN" -H "Content-Type: application/json" -H "Accept: application/json" http://localhost/graphql/ --data '{"query": "query {circuits(status:\"active\" {cid provider {name}}}"}'
Expected Behavior
GraphQL json data is being returned. Already tried to set the ALLOWED_HOST to * but same result.
See also the discussion here #7182
Observed Behavior
CSRF Error is raised
Host: localhost:8001
User-Agent: curl/7.68.0
Authorization: Token <snip>
Content-Type: application/json
Accept: application/json
Content-Length: 69
{"query": "query {circuits(status:\"active\" {cid provider {name}}}"}
<<< HTTP/1.1 403 Forbidden
Server: gunicorn
Date: Sun, 05 Sep 2021 08:29:58 GMT
Connection: keep-alive
Content-Type: text/html
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
X-Frame-Options: SAMEORIGIN
Content-Length: 1382
Vary: Origin
<!DOCTYPE html>
<html lang="en">
<head> ... various stuff CSS ... </head>
<body>
<div id="summary">
<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>
<p>You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.</p>
<p>If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for ...same-origin... requests.</p>
</div>
<div id="explanation">
<p><small>More information is available with DEBUG=True.</small></p>
</div>
</body>
</html>```