问题
I have a graphql server implemented using graphene-django. I can make queries to it using jquery like this:
function allIngredients() {
return 'query{allProducts{edges{node{name}}}}'
}
var query = allIngredients();
$.ajaxSetup({
data: {csrfmiddlewaretoken: '{{ csrf_token }}' },
});
$.post("/graphql", {query: query}, function(response) {
console.log(response);
})
However, when I try this call with Fetch, I get a 403, because of the CORS issue. I solved the same problem in jQuery by adding ajaxSetup... before the call.
Here's the call using fetch:
fetch('/graphql', {
method: "POST",
headers: {
'Content-Type': 'application/json'
},
credentials: 'include',
body: JSON.stringify({
csrfmiddlewaretoken: '{{ csrf_token }}',
query:`{allProducts{
edges{
node{
id
name
orderPrice
sellPrice
}
}
}`})
}
)
.then(function(response) {
if (response.status >= 400) {
throw new Error("Bad response from server");
}
return response.json();
})
I tried adding csrfmiddlewaretoken to the body in the similar way as I did in jQuery example, no luck. I tried adding credentials: 'include' as the docs say, again no luck. I tried with credentials: 'same-origin' and combining this options differently, again the same result. Web is unusually quiet about this, what am I doing wrong?
回答1:
The solution was in the getCookie() method.
fetch("/graphql", {
method: "POST",
credentials: "same-origin",
headers: {
"X-CSRFToken": getCookie("csrftoken"),
"Accept": "application/json",
'Content-Type': 'application/json'
},
body:JSON.stringify(query)
})
And of course the method has to be on the same page. Taken from Django Docs.
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie !== '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) === (name + '=')) {
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
回答2:
If you want to make that post request form a different domain (in case when the front of the application is in React or angular and the backend is in Django), make sure the add following in the settings file:
Update the INSTALLED_APPS to use 'coreHeaders' :
INSTALLED_APPS = [
'corsheaders',
]White list your front end domain by adding following to settings file again:
CORS_ORIGIN_WHITELIST = ( 'localhost:8080', )
Now allow the permission to make this post request for anyone:
Note: Should be used in the cases where you don't need to authenticate the users for posting anything on our server, say, when a new user registers for the first time.
from rest_framework.permissions import AllowAny
class CreateUser(APIView):
permission_classes = (AllowAny,)
def post(self, request, format=None):
return(Response("hi"))
来源:https://stackoverflow.com/questions/43869303/django-returns-403-error-on-post-request-with-fetch