EnsureXHR blocking file uploads

[eNzyOfficial]

Describe the bug

When enabling the EnsureXHR middleware, it blocks off the ability to upload files.

https://github.com/nuwave/lighthouse/blob/master/src/Support/Http/Middleware/EnsureXHR.php#L51

Using Altair (or axios in js):

mutation UpdateCandidate($file: Upload!) {
  updateCandidate(input: { id: "w1qj5z6p", image: $file }) {
    image_url
  }
}

sends through multipart/form-data

Expected behavior/Solution

Someone more knowledgeable on the subject of XHR could probably propose a solution (or reason in favor of the current set up).

Steps to reproduce

1. Enabled EnsureXHR in lighthouse.php middleware
2. Try to upload a file with one of the EnsureXHR::FORM_CONTENT_TYPES set as the Content-Type

Output/Logs

Click to expand

{
  "message": "Content-Type multipart/form-data; boundary=----WebKitFormBoundary1Zo3Ixa4BRdt1EsN is forbidden",
  "exception": "Symfony\\Component\\HttpKernel\\Exception\\BadRequestHttpException",
  "file": "/REDACTED/vendor/nuwave/lighthouse/src/Support/Http/Middleware/EnsureXHR.php",
  "line": 52,
  ...

Lighthouse Version

Latest

[spawnia]

@Deyjandi has just recently opened a pull request that probably deals with the same underlying problem, see https://github.com/nuwave/lighthouse/pull/2202.

[eNzyOfficial]

Summarized from slack:

@thekonz

laravel has this header it likes to check X-Requested-With: XMLHttpRequest

https://github.com/laravel/framework/blob/9.x/src/Illuminate/Http/Concerns/InteractsWithContentTypes.php#L24

@spawnia

Thank you for digging that up. Looks like a suitable solution to me that should work out of the box for some - but I think we should add docs for it nonetheless

Probably to https://lighthouse-php.com/master/security/csrf.html and https://lighthouse-php.com/master/digging-deeper/file-uploads.html#setup