How to restrict anonymous users from GraphQL API e

2019-08-18 18:08发布

站内问答 / Django
2029 2 5

Django has two approaches.

  1. Regular DRF restricts user on Middleware level. So not logged in user doesn't reach anything.

  2. GraphQL, on contrary, uses "per method" approach. So middleware passes all the request and each method. But afterward method calls decorator.

I want to implement 1st approach but for GraphQL. But in that case I need to open path for login mutation. How can I extract mutation name from payload?

2条回答
对你真心纯属浪费
2楼-- · 2019-08-18 18:28

If you want restrict a GraphQL API endpoint to Django logged in users, you can do it by extending GraphQLView with LoginRequiredMixin

from django.contrib.auth.mixins import LoginRequiredMixin
from graphene_django.views import GraphQLView

class PrivateGraphQLView(LoginRequiredMixin, GraphQLView):
    """Adds a login requirement to graphQL API access via main endpoint."""
    pass

and then adding this view to your urls.py like

path('api/', PrivateGraphQLView.as_view(schema=schema), name='api')

in the usual way as per the docs.

If you don't to protect your entire API, you can create another schema and endpoint for the the unprotected queries and mutations, which allows a clear separation between each. For example in urls.py:

path('public_api/', GraphQLView.as_view(schema=public_schema), name='public_api')

Note that every API endpoint must have at least one query to work or it will cause an assertion error.

查看更多
0人赞 添加讨论(0) 举报
ら.Afraid
3楼-- · 2019-08-18 18:32

Not sure if it serves your purpose, but I've used the following library which used JWT authentication with graphene similar to how JWT with DRF works!

https://github.com/flavors/django-graphql-jwt

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)