Comments (7)
Here is maybe a more intuitive way for those who don't use jwt:
def auth_required(fn):
def wrapper(*args, **kwargs):
session = request.headers.get(AUTH_HEADER, '')
# Do some authentication here maybe...
return fn(*args, **kwargs)
return wrapper
def graphql_view():
view = GraphQLView.as_view(
'graphql',
schema=schema,
graphiql=True,
context={
'session': DBSession,
}
)
return auth_required(view)
app = Flask(__name__)
app.debug = True
app.add_url_rule(
'/graphql',
view_func=graphql_view()
)
from flask-graphql.
It's been a while that issue is open, but for general purpose, I ended up using route decorators in my view function like this :
from flask_jwt_extended import jwt_required
...
def graphql_view():
view = GraphQLView.as_view('graphql', schema=schema, context={'session': db.session},
graphiql=True)
return jwt_required(view)
app.add_url_rule(
'/graphql',
view_func=graphql_view()
)
Here I use a JWT authentication with but I could use flask-login or any authentication method:
from flask_login import login_required
...
def graphql_view():
view = GraphQLView.as_view('graphql', schema=schema, context={'session': db.session},
graphiql=True)
return login_required(view)
...
from flask-graphql.
I am using flask + jwt.
For queries I just use Viewer, as a top level object:
class Query(graphene.ObjectType):
....
viewer = graphene.Field(Viewer)
@staticmethod
def resolve_viewer(_root, info):
return Viewer.get_user_by_token(info.context.headers.get('Authorization'))
For mutations I have to create abstract mutation class and extend it with all my mutation except login mutation:
class AuthorizedMutation(relay.ClientIDMutation):
class Meta:
abstract = True
@classmethod
@abstractmethod
def mutate_authorized(cls, root, info, **kwargs):
pass
@classmethod
def mutate_and_get_payload(cls, root, info, **kwargs):
_ = auth_service.authorize_token(info.context.headers.get('Authorization'))
return cls.mutate_authorized(root, info, **kwargs)
All credentials and tokes related work is handeled by auth_service
. Viewer.get_user_by_token
also calls it.
Hope it will be helpful.
P.S.: Do not forget, that subscriptions also need to be secured.
from flask-graphql.
I had a similar problem, but I basically implemented a workaround such that a user could access the graphqlview only on the testing/development environment (localhost). Depends on what your goal is, I only had the graphqlview to help me model and test graphql queries, and didn't actually want it available in the production environment. Here's the code if you're interested:
isLocal = 'FLASK_DEBUG' in os.environ and os.environ['FLASK_DEBUG'] == '1'
app.add_url_rule('/graphql', view_func=GraphQLView.as_view('graphql', schema=schema, context={ 'client': MONGO_CLIENT }, graphiql= True if isLocal else False))
from flask-graphql.
@kmakihara Did you end up writing individual graphql routes that handle authentication? How are you limiting the amount of data an authenticated user can potentially receive without limiting the usefulness of graphql?
from flask-graphql.
Taking the suggestions above, I have been able to use existing Python JWT libraries to authenticate the /graphql
endpoint. However, I am unsure what the best practice is to handle user identity management, which involves decoding the token and reading off the identifying information. For instance, if I have query{portfolio}
, I want to be able to return the portfolio of the authenticated user. I am not sure how to get that information and pass it along to the schema so that it can be used in resolver and mutator functions. Right now, I feel I am doing something rather silly: I have an additional endpoint in my Flask app called /jwt_id
that accepts a JWT parameter in the payload, which I then decode and return the id. Then in all of the resolvers, I use requests
to hit this endpoint, which is completely redundant since now the token is in the payload and in the header but I couldn't think of a workaround. Is there a clean way to pass the decoded token information to the schema? I'm assuming I can somehow leverage the context
parameter...?
UPDATE:
Figured it out - context
is indeed the way to do it!
from flask-graphql.
Hi, I'm the maintainer of Flask-GraphQL-Auth. Inspired by Flask-JWT-Extended, There is a problem with error-handling but it works pretty well. How about try this?
You can use Flask-GraphQL-Auth like you used Flask-JWT-Extended.
here are some examples.
class Query(graphene.ObjectType):
protected = graphene.String(message=graphene.String(),
token=graphene.String())
@query_jwt_required
def resolve_protected(self, info, message):
return str(get_raw_jwt())
you can find more on github and docs
GitHub: https://github.com/callsign-viper/Flask-GraphQL-Auth
Docs: https://flask-graphql-auth.readthedocs.io/en/latest/
from flask-graphql.
Related Issues (20)
- How to get GraphQL error objects using GraphQLView in 2.0.0? HOT 1
- No updates recently? HOT 1
- Why graphql does not return JSON?
- Incompatible with graphql-core==3.0.0 HOT 2
- Upgrade to graphql-core v3 HOT 3
- Enabling "explorer" HOT 14
- Bump graphql-core version to fix concurrency / security issues
- Flask-GraphQL now returns warnings when using `graphql-core HOT 3
- Include Altair GraphQL view HOT 2
- The embedded GraphiQL version is extremely outdated HOT 5
- Documentation on how to make an update mutation
- Header support in graphiQL interface HOT 9
- AttributeError on Graphqlview HOT 1
- CSRF Exemption? HOT 1
- which graphiql version is using? HOT 2
- Accessing query/mutation name from GraphQLView
- Graphene v3 breaks flask-graphql HOT 1
- Dependency conflicts with graphene>=3.0 HOT 2
- python 3.10+ MutableMapping ImportError HOT 1
- Error when importing flask_graphql HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flask-graphql.