feat: disable websocket csrf by default

fixes #943

Author: oliemansm

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/GraphQLSubscriptionWebsocketProperties.java

@@ -12,4 +12,11 @@ class GraphQLSubscriptionWebsocketProperties {
 
   private String path = "/subscriptions";
   private List<String> allowedOrigins = emptyList();
+  private CsrfProperties csrf = new CsrfProperties();
+
+  @Data
+  class CsrfProperties {
+
+    private boolean enabled = false;
+  }
 }

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/GraphQLWebsocketAutoConfiguration.java

@@ -82,7 +82,7 @@ private Optional<SubscriptionConnectionListener> keepAliveListener() {
   @Bean
   public WsCsrfFilter wsCsrfFilter(
       @Autowired(required = false) WsCsrfTokenRepository csrfTokenRepository) {
-    return new WsCsrfFilter(csrfTokenRepository);
+    return new WsCsrfFilter(websocketProperties.getCsrf(), csrfTokenRepository);
   }
 
   @Bean

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/WsCsrfFilter.java

@@ -2,17 +2,19 @@
 
 import static org.springframework.util.CollectionUtils.firstElement;
 
+import graphql.kickstart.autoconfigure.web.servlet.GraphQLSubscriptionWebsocketProperties.CsrfProperties;
 import jakarta.websocket.server.HandshakeRequest;
 import java.util.Objects;
 import lombok.RequiredArgsConstructor;
 
 @RequiredArgsConstructor
 class WsCsrfFilter {
 
+  private final CsrfProperties csrfProperties;
   private final WsCsrfTokenRepository tokenRepository;
 
   void doFilter(HandshakeRequest request) {
-    if (tokenRepository != null) {
+    if (csrfProperties.isEnabled() && tokenRepository != null) {
       WsCsrfToken csrfToken = tokenRepository.loadToken(request);
       boolean missingToken = csrfToken == null;
       if (missingToken) {