Graphene: Is there any example for integrating pyjwt?

https://pypi.python.org/pypi/django-auth-anywhere/0.0.2

Might not be exactly what you want, but it'd do the trick to help with auth, you could just use DRF auth with graphene.

If you're using Flask: https://github.com/yfilali/graphql-pynamodb/tree/master/examples/flask_auth_pynamodb

Specifically schema.py:

def graphql_token_view():
    view = GraphQLView.as_view('graphql', schema=schema, graphiql=bool(app.config.get("DEBUG", False)))
    view = jwt_required()(view)
    return view


app.add_url_rule('/graphql', view_func=graphql_token_view())

@geohuz, if you are looking to protect the entire endpoint, you can just use standard request middleware to handle this, otherwise, have a look at the middleware arg that can be passed to GraphQLView.as_view

and you can then write your own AuthorizationMiddleware like so:

class AuthorizationMiddleware():
    def resolve(self, next, root, args, context, info):
       # do whatever you need to to to context, or root or however you would like to handle auth
        return next(root, args, context, info)

Since this is not a graphene specific issue, I would encourage you to ask over on StackOverflow as well and close out this issue so the maintainers can tackle bugs / improvements.

I'm confused. https://pypi.python.org/pypi/Flask-GraphQL doesn't list any "middleware" option to as_view(). I've been playing with graphql in flask for a few days now, and it still isn't obvious how to secure the endpoint, even with a simple api key, other than implementing something entirely in front of it in a proxy layer. This middleware approach sounds like it would work well, except the option doesn't appear to be documented anywhere.

Ok, I see it in the source. https://github.com/graphql-python/flask-graphql/blob/973d10f1823cd690a63995707ce669d5793e79e0/flask_graphql/graphqlview.py#L22 Thanks for the hint, and sorry to complain. I'll see if I can blog about it after I get it working.

Authentication in graphql is a bit different that usual APIs, you might want to do one of the followings:

1. Protect the whole API
2. Protect some queries/mutations
3. Protect some fields

For all of them you might use any authentication system, I've done it with JWT and also via sessions based authentication (both with django, but doesn't really matter).

The first one is pretty easy since you can just protect the GraphQL view.

The way I've approached the second was to check for the user in the resolve_* methods and return empty elements when the user is not logged. This can be fine for you use case, but it will leak the types in the documentation (which might not be a bad thing, but, again, depends on the use case[1]).

I'm mostly interested in trying to tackle the third way, specifying some condition on some of the fields. So for example I can hide field_x for a particular kind of user. I haven't needed this feature so far, so I have no idea how to implement it.

So, hopefully that was a bit useful, so, going back to your issue, with flask, you might be able to use a login_required decorator, like here: http://flask.pocoo.org/docs/0.12/patterns/viewdecorators/
That will protect the whole API, but you will still need to authenticate the user, I don't use flask that much (I'm working on a side project right now that needs auth and graphql, so I might have some updates soon) but I believe you can use this package: https://flask-login.readthedocs.io/en/latest/#custom-login-using-request-loader
Let me know how that goes!

[1] As far as I know github hides some fields/types that are not public, so you can't use them and you can't see them in the docs.

The fundamental lack of accessible integrated authentication and authorization mechanisms is a serious flaw. I've spent 3 days trying to get something to work, I can't deploy anything without this basic feature set working. Tomorrow I'll go back to writing REST endpoints. I'll check in with GraphQL again in another year or two. I predict that without easy security integration, GraphQL will flame out and disappear. It is a show stopper for us at least.

@rotten please have a look at this: https://medium.com/the-graphqlhub/graphql-and-authentication-b73aed34bbeb

If I find some time I'll create a demo with authentication and Flask if that could be helpful :)

@patrick91 it will be helpful if u could come up with the demo. if u wouldn't mind probably Django as well. :)

@Musbell I didn't have the time yet, but I found this post that can be helpful :) http://danielwelch.github.io/django-graphql-token-auth.html

ok @patrick91

A package and examples for Django framework.
https://github.com/flavors/graphql-jwt