What’s Changed

• Fix how the GraphQLCSRFRequestHeaderValidationRule compares the content-type (#1079) @berngp

We are releasing a major version for DGS to address a CSRF vulnerability. This version adds a breaking change for callers that target the GraphQL Endpoint, /graphql by default, and don't explicit set the content-type to be one of either application/json, application/graphql, or multipart/form-data, the latter use for file upload. If a client is using multipart/form-data they will now need to include a preflight header that matches any of "x-apollo-operation-name", "apollo-require-preflight", or "graphql-require-preflight".

TL;DR

• DGS will only accept requests with content-type of application/json, application/graphql, and multipart/form-data.
• DGS will enforce a preflight header if the content-type is multipart/form-data. Acceptable preflight headers are "x-apollo-operation-name", "apollo-require-preflight", or "graphql-require-preflight"

Application developers should provide a sensible CORS policy, doing so is out of scope of the DGS framework but available via Spring Boot and Spring Security.

Although not recommended you can disable the preflight check by setting dgs.graphql.header.validation.enabled to false.

Context

There could be a potential CSRF attacks that can leverage the execution of JS code attached to a content-type: multipart/form-data, or other content-types which will not force the browsers to do a preflight check and enforce the CORS policy. Application developers should provide a sensible CORS policy as well as, if they use cookies, a sensible cookie SameSite policy.

DGS MVC supports the execution of GraphQL operations via HTTP POST requests with content-type: multipart/form-data. Because they are POST requests, they can contain GraphQL mutations. Because they use content-type: multipart/form-data, they can be "simple requests" which are not preflighted by browsers.

Spring Boot applications using DGS that set SameSite=None cookies for authentication are then open to JS code from any origin can that can cause browsers to send cookie-authenticated Mutations to the GraphQL endpoint, this will then be executed without checking your CORS policy first. Although the attack won't be able to see the response to the mutation if your CORS policy is set up properly, the side effects of the mutation will still occur.

In addition, if the Spring Boot application using DGS relies on network properties for security (whether by explicitly looking at the client's IP address or by only being available on a private network), then JS on any origin can cause browsers (which may be on a private network or have an allowed IP address) to send mutations to your GraphQL server, which will be executed without checking your CORS policy first. (This attack does not require your server to use cookies. It is in some cases prevented by some browsers such as Chrome.)

For additional context visit Apollo Server 2 graphql-upload CSRF Page.

⭐ Special thanks to the Apollo Server Team for identifying the CSRF. ⭐

What’s Changed

• CSRF attack mitigation on requests with multipart/form-data, plain-text, or empty content-types (#1073) @berngp

What’s Changed

Highlights

Adoption Apollo Federation 2.0 (#1056) @setchy

We are adopting Apollo Federation 2.0, please review Apollo Federation 2.0 Specification for further details.

New Features

• Bumping federation and extended-scalars libs (#1056) @setchy

Fixes

• Wrap the DataLoaders after inspection for DgsDataLoaderRegistryConsumer (#1068) @berngp
• Improve DgsContext APIs and hint languages for DgsQueryExecutor(s) in IntelliJ (#1063) @berngp
• Handle validation of input arguments in query complexity instrumentation (#1062) @berngp

Other Changes

• Bump spring-security-bom from 5.6.3 to 5.6.5 (#1061) @dependabot
• Bump datafaker from 1.3.0 to 1.4.0 (#1060) @dependabot
• Adopt none deprecated DataFetcherExceptionHandler methods. (#1059) @berngp

What’s Changed

Highlights

• Fix missing Reactor Context in Kotlin suspend datafetchers (#1041) @gnoeley
• Preserve Reactor context in reactive data fetcher (#1040) @gnoeley
• Fix response payload serialization in DgsReactiveWebsocketHandler (#1050) @kilink
• Rework how DgsData methods are invoked (#1013) @kilink

Other Changes

• Remove DgsIntrospectionConfigurationProperties (#1026) @kilink
• Update to Kotlinter 3.10.0 (#1052) @kilink
• Fix various Kotlin compiler warnings (#1053) @kilink
• Bump mockk from 1.12.3 to 1.12.4 (#1045) @dependabot

⭐ Special thanks to @gnoeley and @kilink for this release! ⭐

What’s Changed

• Upgrade to GraphQL Java 18.1 (#1033) @berngp
• Added support for union connection declaration (#1030) @BCantos17
• Bump spring-cloud-dependencies from 2021.0.1 to 2021.0.2 (#1024) @dependabot

What’s Changed

• Feature: add UUID Scalar (#1022) @setchy

What’s Changed

Highlights

Adopting GraphqL Java 18

We are adopting Graphql Java 18, this new version comes with a considerable number of improvements to the library.
We are looking forward to use the performance improvements on validation rules that available in this version.
Please review the GraphQL Java v18.0 Release Notes for further details

Moving To Spring 5.3, Spring Boot 2.6, Spring Cloud 2021.0.1

In order to keep the framework healthy we have decided to upgrade to Spring Boot 2.6, Spring 5.3 and Spring Cloud 2022.0.1.
If you are moving from Spring Boot 2.3 to Spring Boot 2.6 you might want to review the changes that happened between 2.3
and 2.4. You can review What is new in Spring Boot 2.4 by Phil Webb (@phillip_web).
Please review the Spring Boot 2.6 Release Notes if you are interested on the new features available.

Deprecation of collectionType as part of the @InputArgument annotation. (#977) @kilink

The @InputArgument annotation doesn't need the collectionType anymore when you are mapping to a List, Map, or other collections.
To do this we are now leveraging the Spring Framework's ResolvableType utilities directly.

Upgrading to Kotlin 1.6.21

We are upgrading to Kotlin 1.6.21, this shouldn't affect you unless you are using Kotlin as well in your project.
If you use Kotlin you will need to make sure you upgrade to at least 1.6.20.
To review what is new in Kotlin 1.6.20, please visit the official site.

Other

• Feature/local time scalar (#1008) @setchy
• Remove usage of NoOpPreparsedDocumentProvider (#994) @kilink
• Simplify DgsSSESubscriptionHandler by returning Flux (#1001) @kilink
• Remove DgsNoOpPreparsedDocumentProvider (#989) @kilink
• Add support for defining a default DataFetcherFactory via autoconfig (#979) @jord1e
• Use delegation pattern in DgsDataFetchingEnvironment (#978) @kilink
• Replace Javafaker with Datafaker (#970) @bodiam

House Keeping Changes

• Bump actions/cache from 2 to 3.0.2 (#957) (#991) @dependabot
• Bump actions/setup-java from 2 to 3 (#975) @dependabot
• Bump actions/upload-artifact from 2 to 3 (#976) @dependabot
• Bump log4j-api from 2.17.1 to 2.17.2 (#962) @dependabot
• Bump log4j-to-slf4j from 2.17.1 to 2.17.2 (#965) @dependabot
• Bump mockk from 1.12.2 to 1.12.3 (#964) @dependabot
• Bump nebula.netflixoss from 10.5.1 to 10.6.0 (#870) @dependabot
• Bump spectator-api from 1.0.+ to 1.3.0 (#959) (#985) @dependabot
• Disable unstable ConcurrentDataFetcherTest test. (#1012) @berngp
• Fix Kotlin compiler warning (#973) @kilink
• Fix deprecation warnings in DgsDataLoaderProvider (#971) @kilink
• Fix various warnings (#974) @kilink
• Fold changes to dependencies.lock files in diffs by default (#967) @jord1e
• Get rid of unnecessary .let, use MediaType (#972) @kilink
• Refactor the fixtures used for testing a custom DataFetcherFactory (#983) @berngp
• Stop calling deprecated exchange method on WebClient (#1005) @kilink
• Update Gradle Wrapper from 7.3.3 to 7.4.1 (#921) @github-actions
• Update dependency lock files (#996) @kilink
• Stop using deprecated context methods (#982) @kilink
• Avoid passing in empty ChainedInstrumentation (#992) @kilink

What’s Changed

• Set the errors property in the payload when processing subscription events. (#951) @srinivasankavitha
• Support @RequestHeader with HttpHeader/Map/MultiValueMap types. (#947) @srinivasankavitha

What’s Changed

Features

• Make the object mapper used for query execution configurable. (#943) @srinivasankavitha
• Added operation name in query input and passed in execute method (#941) @PrasoonJain
• Automatic data loader naming on classes annotated with nameless @DgsDataLoader (#904) @jord1e

Other

• Bump actions/setup-python from 2 to 3 (#911) @dependabot
• Update .gitignore (#926) @jord1e

What’s Changed

• Fix log verbosity of DataFetcherInvoker.invokeDataFetcher (#896) @berngp
• Pin graphiql version in the webflux stack as well, already done for mvc. (#885) @srinivasankavitha

What’s Changed

• Move result processors for Flux/Mono to graphql-dgs (#866) @kilink

What’s Changed

• Support custom input object mapper (#842) @paulbakker

What’s Changed

• Reducing the size of the test-report (#857) @berngp
• Improve handling of unexpected subscription requests on /graphql. (#852) @srinivasankavitha
• Only report on failed to trim report size (#856) @berngp
• Attempt to publish the Test Results (#855) @berngp

What’s Changed

Features

Support Apollo APQ (#829)

Summary

We now support Apollo's Automated Persisted Queries or APQ.
To enable this feature you will have to set the dgs.graphql.apq.enabled property to true.

Configuration

Bean Overrides

• You can implement your own Caffeine Cache Bean if you name it as apqCaffeineCache.
• You can implement your own PersistedQueryCache, se below for details.

Details.

The PersistedQueryCache that backs the default implementation leverages a Caffeine Cache. You can provide your own PersistedQueryCache if the default doesn't suffice, please review the PersistedQueryCaffeineCache if you decide to do so. It is important that the cache can handle the case where the query text matches the value defined by the PersistedQuerySupport.PERSISTED_QUERY_MARKER property.

The Caffeine Cache used by the default PersistedQueryCaffeineCache is a named bean, apqCaffeineCache, that can be replaced. You can also specify the Caffeine Spec, encoded as a String value, via the dgs.graphql.apq.cache.caffeine-spec property. By default the dgs.graphql.apq.cache.caffeine-spec has maximumSize=100,expireAfterWrite=1h,recordStats but as mentioned you can define yours as needed.

Bug Fixes

• Only use USER_DECLARED_METHODS when looking for DataFetchers (#845) @berngp
• Issue-841: Fix NPE in equals method of TypedGraphQLError (#840) @rabbitvirus
• We will now return a Bad Request Response if the Request Content is empty or malformed. (#835) @berngp

Others

• Bump nebula.netflixoss from 10.4.0 to 10.5.1 (#830) @dependabot
• Update Gradle Wrapper from 7.3.2 to 7.3.3 (#806) @github-actions

What’s Changed

• Process HTTP session data on websocket handshake and load SecurityContext into Subscriptions (#814) @lucatk
• Bump mockk from 1.12.1 to 1.12.2 (#815) @dependabot
• Bump log4j-api from 2.17.0 to 2.17.1 (#811) @dependabot
• Bump log4j-to-slf4j from 2.17.0 to 2.17.1 (#812) @dependabot
• #693 Improved client deprecation message (#807) @paulbakker
• #656 Support non-public datafetcher methods (#808) @paulbakker

What’s Changed

• Bump log4j-to-slf4j from 2.16.0 to 2.17.0 (#802) @dependabot
• Bump log4j-api from 2.16.0 to 2.17.0 (#803) @dependabot

What’s Changed

• Unwrap InvocationTargetException from coroutine data fetcher (#794) @LEECHHE
• Support of PreparsedDocumentProvider in DgsWebFluxAutoConfguration (#786) @pushpagarwal
• Modified to use custom DgsWebfluxHttpHandler (#777) @heoYH

Dependency Version Upgrades

The following dependencies were upgraded...

• Log4J frim 2.15.0 to 2.16.0
• Kotlin from 1.5.21 to 1.5.32
• Spring Framework from 5.2.13.RELEASE to 5.2.18.RELEASE
• Spring Boot from 2.3.9.RELEASE to 2.3.12.RELEASE
• Spring Security from 5.3.9.RELEASE to 5.3.12.RELEASE
• Spring Cloud from HOXTON.SR10 to HOXTON.SR12
• Jackson from 2.12.3 to 2.12.5

Other Features

• Update Gradle Wrapper from 7.3.1 to 7.3.2 (#789) @github-actions

Artifacts for 4.9.12 and 4.9.13 are unavailable in Maven Central, we are looking into it but It is unclear if we will be able to solve this problem in the next few days.

What’s Changed

Dependency Version Upgrades

The following dependencies were upgraded...

• Log4J frim 2.15.0 to 2.16.0
• Kotlin from 1.5.21 to 1.5.32
• Spring Framework from 5.2.13.RELEASE to 5.2.18.RELEASE
• Spring Boot from 2.3.9.RELEASE to 2.3.12.RELEASE
• Spring Security from 5.3.9.RELEASE to 5.3.12.RELEASE
• Spring Cloud from HOXTON.SR10 to HOXTON.SR12
• Jackson from 2.12.3 to 2.12.5

Other Features

• Support of PreparsedDocumentProvider in DgsWebFluxAutoConfguration (#786) @pushpagarwal
• Modified to use custom DgsWebfluxHttpHandler (#777) @heoYH

What’s Changed

Dependency Version Upgrades

The following dependencies were upgraded...

• Log4J frim 2.15.0 to 2.16.0
• Kotlin from 1.5.21 to 1.5.32
• Spring Framework from 5.2.13.RELEASE to 5.2.18.RELEASE
• Spring Boot from 2.3.9.RELEASE to 2.3.12.RELEASE
• Spring Security from 5.3.9.RELEASE to 5.3.12.RELEASE
• Spring Cloud from HOXTON.SR10 to HOXTON.SR12
• Jackson from 2.12.3 to 2.12.5

Other Features

• Support of PreparsedDocumentProvider in DgsWebFluxAutoConfguration (#786) @pushpagarwal
• Modified to use custom DgsWebfluxHttpHandler (#777) @heoYH