Graphene提供了到Django的GraphQL集成,并提供了创建URL端点的视图。问题是如何保护端点以供API使用?{a1}是使用LoginRequiredMixin,这对于登录用户来说非常好,但不能用作API
我曾尝试将其与DRF令牌集成,但最终还是使用了需要CSRF的会话中间件。唯一有效的解决方案是添加一个CSRF豁免修饰符,但我担心这会打开一个安全漏洞
# urls.py
path("graphiql/", root_views.SessionGraphQLView.as_view(graphiql=True), name="graphiql"),
path("graphql/", root_views.TokenGraphQLView.as_view(graphiql=False), name="graphql"),
# views.py
class TokenLoginRequiredMixin(AccessMixin):
"""A login required mixin that allows token authentication."""
def dispatch(self, request, *args, **kwargs):
"""If token was provided, ignore authenticated status."""
http_auth = request.META.get("HTTP_AUTHORIZATION")
if http_auth and "Token" in http_auth:
pass
elif not request.user.is_authenticated:
return self.handle_no_permission()
return super().dispatch(request, *args, **kwargs)
@method_decorator(csrf_exempt, name="dispatch")
class TokenGraphQLView(TokenLoginRequiredMixin, GraphQLView):
authentication_classes = [TokenAuthentication]
class SessionGraphQLView(LoginRequiredMixin, GraphQLView):
pass
目前没有回答
相关问题 更多 >
编程相关推荐