feat(server): wire AuthCookiePlugin and CSRF into middleware chain

- Add AuthCookiePlugin to graphile preset plugins array
- Remove Express middleware approach (doesn't work with grafserv)
- Add CSRF middleware after authenticate, before graphile
- Update server.ts middleware order

Middleware chain:
cors → api → authenticate → captcha → csrf → graphile (with AuthCookiePlugin)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: theothersideofgod

graphql/server/src/middleware/graphile.ts

@@ -14,6 +14,7 @@ import { isGraphqlObservabilityEnabled } from '../diagnostics/observability';
 import { HandlerCreationError } from '../errors/api-errors';
 import { observeGraphileBuild } from './observability/graphile-build-stats';
 import type { DatabaseSettings } from '../types';
+import { AuthCookiePlugin } from '../plugins/auth-cookie-plugin';
 
 const maskErrorLog = new Logger('graphile:maskError');
 
@@ -210,6 +211,7 @@ const buildPreset = (
 ): GraphileConfig.Preset => {
   return {
   extends: [createConstructivePreset(databaseSettings)],
+  plugins: [AuthCookiePlugin],
   pgServices: [
     makePgService({
       pool,

graphql/server/src/server.ts

@@ -1,10 +1,11 @@
+import { createCsrfMiddleware } from '@constructive-io/csrf';
 import { getEnvOptions } from '@constructive-io/graphql-env';
 import type { ConstructiveOptions } from '@constructive-io/graphql-types';
 import { Logger } from '@pgpmjs/logger';
 import { healthz, poweredBy, svcCache, trustProxy } from '@pgpmjs/server-utils';
 import { PgpmOptions } from '@pgpmjs/types';
 import { middleware as parseDomains } from '@constructive-io/url-domains';
-import express, { Express, RequestHandler } from 'express';
+import express, { Express, NextFunction, Request, RequestHandler, Response } from 'express';
 import type { Server as HttpServer } from 'http';
 import graphqlUpload from 'graphql-upload';
 import { Pool, PoolClient } from 'pg';
@@ -32,7 +33,9 @@ import { createDebugDatabaseMiddleware } from './middleware/observability/debug-
 import { debugMemory } from './middleware/observability/debug-memory';
 import { localObservabilityOnly } from './middleware/observability/guard';
 import { createRequestLogger } from './middleware/observability/request-logger';
+// Auth cookie handling is done via AuthCookiePlugin in grafserv
 import { createCaptchaMiddleware } from './middleware/captcha';
+import { parseCookieValue, SESSION_COOKIE_NAME } from './middleware/cookie';
 import { createUploadAuthenticateMiddleware, uploadRoute } from './middleware/upload';
 import { startDebugSampler } from './diagnostics/debug-sampler';
 
@@ -160,6 +163,36 @@ class Server {
     app.post('/upload', uploadAuthenticate, ...uploadRoute);
     app.use(authenticate);
     app.use(createCaptchaMiddleware());
+
+    // CSRF protection for cookie-authenticated requests
+    // Skip CSRF for Bearer token auth (not vulnerable to CSRF) and anonymous requests
+    const csrf = createCsrfMiddleware({
+      cookieOptions: {
+        httpOnly: false, // SPA clients need to read this via document.cookie
+        secure: process.env.NODE_ENV === 'production',
+        sameSite: 'lax',
+      },
+    });
+    const csrfProtect: RequestHandler = (req: Request, res: Response, next: NextFunction) => {
+      // Skip CSRF for Bearer token auth
+      const auth = req.headers.authorization;
+      if (auth?.toLowerCase().startsWith('bearer ')) {
+        return next();
+      }
+      // Skip if no session cookie (anonymous requests)
+      const sessionCookie = parseCookieValue(req, SESSION_COOKIE_NAME);
+      if (!sessionCookie) {
+        return next();
+      }
+      // Apply CSRF protection for cookie-authenticated requests
+      csrf.protect(req as any, res as any, next);
+    };
+    const csrfSetToken: RequestHandler = (req: Request, res: Response, next: NextFunction) => {
+      csrf.setToken(req as any, res as any, next);
+    };
+    app.use(csrfSetToken); // Set CSRF token cookie on all requests
+    app.use('/graphql', csrfProtect); // Enforce CSRF on GraphQL mutations
+
     app.use(graphile(effectiveOpts));
     app.use(flush);