Add information on how to deal with CSRF protection (#838)

This commit is contained in:
Jonathan Kim 2020-01-11 14:49:17 +01:00 committed by GitHub
parent b8a2d5953a
commit de87573e0c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -66,4 +66,26 @@ The most basic ``schema.py`` looks like this:
schema = graphene.Schema(query=Query)
To learn how to extend the schema object for your project, read the basic tutorial.
To learn how to extend the schema object for your project, read the basic tutorial.
CSRF exempt
-----------
If have enabled `CSRF protection <https://docs.djangoproject.com/en/3.0/ref/csrf/>`_ in your Django app
you will find that it prevents your API clients from POSTing to the ``graphql`` endpoint. You can either
update your API client to pass the CSRF token with each request (the Django docs have a guide on how to do that: https://docs.djangoproject.com/en/3.0/ref/csrf/#ajax) or you can exempt your Graphql endpoint from CSRF protection by wrapping the ``GraphQLView`` with the ``csrf_exempt``
decorator:
.. code:: python
# urls.py
from django.urls import path
from django.views.decorators.csrf import csrf_exempt
from graphene_django.views import GraphQLView
urlpatterns = [
# ...
path("graphql", csrf_exempt(GraphQLView.as_view(graphiql=True))),
]