Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Protect GraphQL view (for example schema definition) to require login

See original GitHub issue

Problem description:

django_graphql_jwt provides nice decorators to protect queries and mutations. However there is no easy way to protect GraphQL view to non-authenticated users. When using basic django authentication this problem could be solved using mixin classes or decorators:

# Using decorators
from django.contrib.auth.decorators import login_required
path('graphql/', login_required(GraphQLView.as_view(graphiql=True)))

# Using mixin classes
from django.contrib.auth.mixins import LoginRequiredMixin
from graphene_django.views import GraphQLView

class PrivateGraphQLView(LoginRequiredMixin, GraphQLView):
    """Adds a login requirement to graphQL API access via main endpoint."""
    pass

However these solutions are not working when using JWT tokens.

This problem leads to a situation where anonymous users can view my whole schema definition and maybe search vulnerabilities. Current situation:

urlpatterns = [
    path('admin/', admin.site.urls),
    path('graphql/', csrf_exempt(GraphQLView.as_view(graphiql=True))),

Possible solutions:

Provide decorators or mixin classes that can be used as in standard django.contrib.auth module

Issue Analytics

State:
Created 3 years ago
Reactions:2
Comments:5 (1 by maintainers)

Top GitHub Comments

1reaction

pipedexcommented, Sep 3, 2021

Hi , @LinnaViljami . You can divide your schemas in public and private endpoints. So, you can have one endpoint to login schema for public without login_required and one endpoint schema for private querys and mutations.

url('ingreso-login', csrf_exempt(FileUploadGraphQLView.as_view(graphiql=True, schema=schema1.schema1))),
url('ingreso-general', login_required(csrf_exempt((FileUploadGraphQLView.as_view(graphiql=True)))))

It is working for my on django 1.11 project.

But now i am upgrading to django 3.2 and sorpresively , when i protect with login_required my private schema, i get the token from login schema but dont can continue with the private endpoint schema.

0reactions

lanshunfangcommented, Feb 24, 2022

@LinnaViljami ^^

Top Results From Across the Web

9 Ways To Secure your GraphQL API

To learn how to set up authentication and authorization in an Apollo Server instance, read the official authentication & authorization docs.

Protect GraphQL view (for example schema definition) to require login

Problem description: django_graphql_jwt provides nice decorators to protect queries and mutations. However there is no easy way to protect GraphQL view to ...

A complete guide to permissions in a GraphQL API

We will see all these techniques in our example. Now, let's build a simple ... We'll use a schema.js file for the GraphQL...

API (GraphQL) - Setup authorization rules - AWS Amplify Docs

This schema will protect access to Post objects connected to a user based on an attribute in the User model. You may turn...

How to Handle Authentication In GraphQL on the Server

Photo by Jason Blackeye on Unsplash · a course schema · here we specify to GraphQL what data we want to get. ·...