django-graphql-jwt icon indicating copy to clipboard operation
django-graphql-jwt copied to clipboard

Published 20 hours ago verified publisher icon flavors

All requests are always authenticated

Open assman opened this issue 4 years ago • 6 comments

I'm not sure if I am missing out something, I have checked thoroughly that I have added the MIDDLEWARE and AUTHENTICATION_BACKENDS correctly. I am using the @login_required decorator to protect a query that responds with user information if successful.

However, when I use the GraphQL interactive window to send an unauthenticated query, it responds back with a users info(superuser created using the model managers createsuperuser function). The interactive window has no provision to include the Authorization header, therefore this query should not resolve in the first place.

Below are some of my code snippets:

class UserType(DjangoObjectType):
    class Meta:
        model = get_user_model()

class Query(graphene.ObjectType):
    me = graphene.Field(UserType)

    @login_required
    def resolve_me(self, info, **kwargs):
        return info.context.user

assman avatar Mar 12 '20 11:03 assman

I don't remember, but I somehow managed all requests secure. E.g. in authentication section where viewer field is set up, I turned all queries into sub-queries of viewer:

{
    viewer {
        users {
            uid
        }
    }
}

And it worked. Now I have the same problem. All queries are insecure and everyone can reach them. Besides I'd like to see how it works with Relay Modern.

nrgx avatar Mar 22 '20 13:03 nrgx

@assman , by the way I found an article that uses DRF authtokens (I use simple jwt, can share setup if needed), which I think is pretty good. Here you go

nrgx avatar Mar 22 '20 15:03 nrgx

@nrgx thank you for sharing :)

This is kind of unrelated to the issue, can I check with you, where do you store the token on the client side? i.e localStorage or cookies?

assman avatar Mar 23 '20 02:03 assman

@assman best practice is http-only cookie

cutamar avatar Mar 23 '20 03:03 cutamar

I've just setup backend, and didn't prepared frontend. But yes, I will use localStorage.

On Mon, Mar 23, 2020, 8:20 AM assman [email protected] wrote:

@nrgx https://github.com/nrgx thank you for sharing :)

This is kind of unrelated to the issue, can I check with you, where do you store the token on the client side? i.e localStorage or cookies?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/flavors/django-graphql-jwt/issues/180#issuecomment-602326961, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEKNYTFDCVS4MUV4AW3TDHTRI3BP5ANCNFSM4LGKNYSQ .

nrgx avatar Mar 23 '20 04:03 nrgx

Make sure you are logged out of admin.

GalaxyZpj avatar May 21 '20 16:05 GalaxyZpj