我已成功设置django-graphene
应用程序,aws eb
但跨域存在身份验证问题。登录在同一个域上工作,但是当尝试从跨域登录时它不起作用。
使用基于会话的身份验证 (Cookie)
我的 django-graphql api 位于类似以下网址的网址上:http: //foo.bar.elasticbeanstalk.com/graphql/
当我从 Insomnia(类似于邮递员)登录时,登录工作正常。这是我收到的回复
Date: Thu, 28 Nov 2019 06:36:39 GMT
Server: Apache/2.4.41 (Amazon) mod_wsgi/3.5 Python/3.6.8
Vary: Cookie,Origin
X-Frame-Options: SAMEORIGIN
Set-Cookie: csrftoken=1FTnBwp8b3OlVVf1NXZqZtWBoZkA1xh4ihryPtvZeTRZj3od5mHn3tDxFhgFvGl9; expires=Thu, 26 Nov 2020 06:36:39 GMT; Max-Age=31449600; Path=/; SameSite=Lax
Set-Cookie: sessionid=vv9e1o2m92ekwcaq8xhzoedf9uhues4u; expires=Thu, 12 Dec 2019 06:36:39 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
Content-Length: 190
Content-Type: application/json
在失眠中,它可以工作,用户已登录。
在我使用的前端gatsby
和apollo
. 前端当前在http://localhost:3000上运行。这是我的 Apollo 客户:
import ApolloClient from "apollo-boost"
import { fetch } from "isomorphic-fetch"
const client = new ApolloClient({
uri: "http://foo.bar.elasticbeanstalk.com/graphql/",
credentials: "include",
fetch,
})
export default client
当我执行登录突变时,没有sessionid
设置 cookie。也没有csrftoken
。
登录突变响应:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:3000
Connection: Keep-Alive
Content-Length: 271
Content-Type: application/json
Date: Thu, 28 Nov 2019 07:39:06 GMT
Keep-Alive: timeout=5, max=99
Server: Apache/2.4.41 (Amazon) mod_wsgi/3.5 Python/3.6.8
Set-Cookie: csrftoken=tVvu46tHoRlKgYFoj5g2ybJ6bt6OsahqmqQrCMyNjnAJYBfXO0Z7AGD16nUzM4Vn; expires=Thu, 26 Nov 2020 07:39:06 GMT; Max-Age=31449600; Path=/
Set-Cookie: sessionid=qmze273tr6srktooa7t0y2n9vfyt408h; expires=Thu, 12 Dec 2019 07:39:06 GMT; HttpOnly; Max-Age=1209600; Path=/
Vary: Cookie,Origin
X-Frame-Options: SAMEORIGIN
有一个Set-Cookie
forcsrftoken
和sessionid
in response 但下面没有 cookieApplication -> Cookies -> http://localhost:3000
我的django-cors-headers
设置是:
SESSION_COOKIE_SAMESITE = None
CSRF_COOKIE_SAMESITE = None
CORS_ORIGIN_WHITELIST = [
'http://localhost:3000',
'http://127.0.0.1:3000'
]
CORS_ALLOW_CREDENTIALS = (
True
)
url.py:
from django.urls import path
from django.views.decorators.csrf import csrf_exempt
from graphene_django.views import GraphQLView
urlpatterns = [
path('graphql/', csrf_exempt(GraphQLView.as_view(graphiql=True))),
]
如何使登录工作?