Add CSRF token to GraphiQL view

src/express/express.js

@@ -16,14 +16,18 @@ function sendError(response, boom) {
   response.status(statusCode).send(payload);
 }
 
-export default function middleware({ graphiql = true, context = {}, schema = required() } = {}) {
+export default function middleware({ graphiql = true, context = {}, schema = required(), getCSRFToken = null } = {}) {
   return (request, response, next) => {
     if (isPath(request) && (isPost(request) || isGet(request))) {
       const body = request.body;
       const { query, variables } = Object.assign({}, body, request.query);
 
       if (isGet(request) && request.accepts('html') && graphiql) {
-        return response.send(renderGraphiQL({ query, variables }));
+        const renderOptions = { query, variables };
+        if (getCSRFToken !== null) {
+          renderOptions.csrfToken = getCSRFToken(request);
+        }
+        return response.send(renderGraphiQL(renderOptions));
       }
 
       if (isGet(request) && query && query.includes('mutation')) {

src/util/util.js

@@ -16,7 +16,8 @@ export function required() {
 
 const GRAPHIQL_VERSION = '0.7.1';
 
-export function renderGraphiQL({ query, variables, version = GRAPHIQL_VERSION } = {}) {
+export function renderGraphiQL({ query, variables, version = GRAPHIQL_VERSION, csrfToken } = {}) {
+  csrfToken = csrfToken ? `,'x-csrf-token': '${csrfToken}'` : '';
   return `
     <!DOCTYPE html>
     <html>
@@ -89,7 +90,8 @@ export function renderGraphiQL({ query, variables, version = GRAPHIQL_VERSION }
               method: 'post',
               headers: {
                 'Accept': 'application/json',
-                'Content-Type': 'application/json',
+                'Content-Type': 'application/json'
+                ${csrfToken}
               },
               body: JSON.stringify(graphQLParams),
               credentials: 'include',