Protect GraphQL view (for example schema definition) to require login
See original GitHub issueProblem description:
django_graphql_jwt
provides nice decorators to protect queries and mutations. However there is no easy way to protect GraphQL view to non-authenticated users. When using basic django authentication this problem could be solved using mixin classes or decorators:
# Using decorators
from django.contrib.auth.decorators import login_required
path('graphql/', login_required(GraphQLView.as_view(graphiql=True)))
# Using mixin classes
from django.contrib.auth.mixins import LoginRequiredMixin
from graphene_django.views import GraphQLView
class PrivateGraphQLView(LoginRequiredMixin, GraphQLView):
"""Adds a login requirement to graphQL API access via main endpoint."""
pass
However these solutions are not working when using JWT tokens.
This problem leads to a situation where anonymous users can view my whole schema definition and maybe search vulnerabilities. Current situation:
urlpatterns = [
path('admin/', admin.site.urls),
path('graphql/', csrf_exempt(GraphQLView.as_view(graphiql=True))),
Possible solutions:
Provide decorators or mixin classes that can be used as in standard django.contrib.auth
module
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:5 (1 by maintainers)
Top Results From Across the Web
9 Ways To Secure your GraphQL API
To learn how to set up authentication and authorization in an Apollo Server instance, read the official authentication & authorization docs.
Read more >Protect GraphQL view (for example schema definition) to require login
Problem description: django_graphql_jwt provides nice decorators to protect queries and mutations. However there is no easy way to protect GraphQL view to ...
Read more >A complete guide to permissions in a GraphQL API
We will see all these techniques in our example. Now, let's build a simple ... We'll use a schema.js file for the GraphQL...
Read more >API (GraphQL) - Setup authorization rules - AWS Amplify Docs
This schema will protect access to Post objects connected to a user based on an attribute in the User model. You may turn...
Read more >How to Handle Authentication In GraphQL on the Server
Photo by Jason Blackeye on Unsplash · a course schema · here we specify to GraphQL what data we want to get. ·...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hi , @LinnaViljami . You can divide your schemas in public and private endpoints. So, you can have one endpoint to login schema for public without login_required and one endpoint schema for private querys and mutations.
It is working for my on django 1.11 project.
But now i am upgrading to django 3.2 and sorpresively , when i protect with login_required my private schema, i get the token from login schema but dont can continue with the private endpoint schema.
@LinnaViljami ^^