fix: Apply CSRF prevention validation only to GET requests

[holzerch]

The current version of the CSRF prevention plugin requires special headers to be present on all requests. However in order to prevent CSRF attacks the check must only be done on some requests. For POST requests the browser does automatic preflight checks already for all content types not matching application/x-www-form-urlencoded, multipart/form-data, text/plain

[changeset-bot]

🦋 Changeset detected

Latest commit: 3d3129d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@graphql-yoga/plugin-csrf-prevention	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[holzerch]

I changed the initial implementation of the PR again to consider the content types browsers do preflight checks already.

[enisdenjo]

Thank you @holzerch, this looks great!

[github-actions]

✅ Benchmark Results

     ✓ no_errors{mode:graphql}
     ✓ expected_result{mode:graphql}
     ✓ no_errors{mode:graphql-jit}
     ✓ expected_result{mode:graphql-jit}
     ✓ no_errors{mode:graphql-response-cache}
     ✓ expected_result{mode:graphql-response-cache}
     ✓ no_errors{mode:graphql-no-parse-validate-cache}
     ✓ expected_result{mode:graphql-no-parse-validate-cache}

     checks.......................................: 100.00% ✓ 410486      ✗ 0     
     data_received................................: 1.7 GB  14 MB/s
     data_sent....................................: 83 MB   691 kB/s
     http_req_blocked.............................: avg=1.44µs   min=982ns    med=1.3µs    max=287.48µs p(90)=1.89µs   p(95)=2.09µs  
     http_req_connecting..........................: avg=2ns      min=0s       med=0s       max=131.04µs p(90)=0s       p(95)=0s      
     http_req_duration............................: avg=373.87µs min=210.18µs med=328.53µs max=18.64ms  p(90)=526.78µs p(95)=546.24µs
       { expected_response:true }.................: avg=373.87µs min=210.18µs med=328.53µs max=18.64ms  p(90)=526.78µs p(95)=546.24µs
     ✓ { mode:graphql-jit }.......................: avg=282.24µs min=210.18µs med=260.85µs max=18.64ms  p(90)=291.33µs p(95)=303.63µs
     ✓ { mode:graphql-no-parse-validate-cache }...: avg=554.7µs  min=461.4µs  med=525.96µs max=9.81ms   p(90)=565.82µs p(95)=602.7µs 
     ✓ { mode:graphql-response-cache }............: avg=345.6µs  min=273.85µs med=326.4µs  max=9.36ms   p(90)=357.45µs p(95)=367.95µs
     ✓ { mode:graphql }...........................: avg=375.34µs min=291.36µs med=340.7µs  max=13.36ms  p(90)=387.14µs p(95)=435.54µs
     http_req_failed..............................: 0.00%   ✓ 0           ✗ 205243
     http_req_receiving...........................: avg=32.29µs  min=16.69µs  med=32.36µs  max=3.8ms    p(90)=38.14µs  p(95)=40.35µs 
     http_req_sending.............................: avg=8.19µs   min=5.98µs   med=7.32µs   max=334.46µs p(90)=10.74µs  p(95)=11.41µs 
     http_req_tls_handshaking.....................: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting.............................: avg=333.37µs min=183.09µs med=288.95µs max=17.98ms  p(90)=486.07µs p(95)=503.27µs
     http_reqs....................................: 205243  1710.337128/s
     iteration_duration...........................: avg=579.93µs min=380.88µs med=530.61µs max=19.38ms  p(90)=735.89µs p(95)=759.03µs
     iterations...................................: 205243  1710.337128/s
     vus..........................................: 1       min=1         max=1   
     vus_max......................................: 2       min=2         max=2