JSON Web Token Authentication support for Django + Graphene
This package provides JWT authentication via GraphQL using Graphene, similarly to how django-rest-framework-jwt exposes JWT via REST.
django-graphene-jwt
uses djangorestframework-jwt
under the hood;
it simply adapts the request and response handling to suit Graphene.
That means that djangorestframework-jwt's settings are used.
Some caveats and known issues:
- The
JWTGraphQLView
class is pretty ad-hoc; using theREST_FRAMEWORK.DEFAULT_AUTHENTICATION_CLASSES
setting would probably be better. Also, there is no equivalent ofDEFAULT_PERMISSION_CLASSES
. Checking permissions is currently the resolvers' and mutation methods' responsibility. - There is no test suite and there has not been a formal code review! This is security code, and while the attack surface is small, it has to be pointed out. If you think about using this library, read the code; it's only 170 lines in total, in schema.py and views.py.
If you want production-grade Graphene JWT support, think about contributing!
django-graphene-jwt
is not on pypi yet.
For installation, use:
pip install git+https://github.com/SillyFreak/django-graphene-jwt
Like with any Graphene application, make sure you have the following settings applied:
INSTALLED_APPS = ( # ... 'graphene_django', ) GRAPHENE = { 'SCHEMA': 'app.schema.schema' # Where your Graphene schema lives }
Add a URL for the GraphQL API, and use the JWTGraphQLView
class to have the JWT authentication header parsed:
from django.conf.urls import url from graphene_jwt.views import JWTGraphQLView urlpatterns = [ # ... url(r'^graphql/', JWTGraphQLView.as_view(graphiql=True)), ]
In you schema, make sure you inherit the graphene_jwt
queries and mutations:
import graphene import graphene_jwt.schema class Query(graphene_jwt.schema.Query, graphene.ObjectType): pass class Mutation(graphene_jwt.schema.Mutation, graphene.ObjectType): pass schema = graphene.Schema(query=Query, mutation=Mutation)
To explore the schema, go to http://localhost:8000/graphql/
and open the documentation explorer.
Here is a quick overview:
# verifies a token and returns that same token along with the user query JWTVerify($token: String!) { jwtVerify(token: $token) { token user { id username email firstName lastName # ... } } } # authenticates a user and returns a token along with the user mutation JWTLogin($username: String!, $password: String!) { jwtLogin(username: $username, password: $password) { token user { # ... } } } # refreshes a valid token and returns a new token along with the user mutation JWTRefresh($token: String!) { jwtLogin(token: $token) { token user { # ... } } }