Managing CRSF cookies with graphene-django

Question

Managing CRSF cookies with graphene-django

Kinzowa opened this issue 2 years ago · 1 comments

Hello,

I'm trying to do a GraphQL mutation between 2 Django projects (different hosts). One project has the gql client and the other has the graphene and graphene-django libraries. Everything works fine when django.middleware.csrf.CsrfViewMiddleware is deactivated on the second project, but when it is enabled the server throws an error Forbidden (CSRF cookie not set.): /graphql.

At the client side, how can I fetch a CSRF token from the server and include it in the HTTP header ?

This is my code

transport = AIOHTTPTransport(url="http://x.x.x.x:8000/graphql")
client = Client(transport=transport, fetch_schema_from_transport=True)

query = gql(
   """
        mutation ...
   """
)

result = client.execute(query)

Please find the complete traceback. As you can see there is also a "Not a JSON answer" but it must be gql that doesn't recognize the answer from graphene.

Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: Traceback (most recent call last):
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/transport/aiohttp.py", line 316, in execute
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     result = await resp.json(content_type=None)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/aiohttp/client_reqrep.py", line 1119, in json
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return loads(stripped.decode(encoding))
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/usr/lib/python3.7/json/__init__.py", line 348, in loads
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return _default_decoder.decode(s)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/usr/lib/python3.7/json/decoder.py", line 337, in decode
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     obj, end = self.raw_decode(s, idx=_w(s, 0).end())
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/usr/lib/python3.7/json/decoder.py", line 355, in raw_decode
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     raise JSONDecodeError("Expecting value", s, err.value) from None
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: During handling of the above exception, another exception occurred:
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: Traceback (most recent call last):
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/transport/aiohttp.py", line 304, in raise_response_error
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     resp.raise_for_status()
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/aiohttp/client_reqrep.py", line 1009, in raise_for_status
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     headers=self.headers,
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: aiohttp.client_exceptions.ClientResponseError: 403, message='Forbidden', url=URL('http://y.y.y.y:8000/graphql')
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: The above exception was the direct cause of the following exception:
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: Traceback (most recent call last):
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/asgiref/sync.py", line 482, in thread_handler
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     raise exc_info[1]
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/core/handlers/base.py", line 233, in _get_response_async
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     response = await wrapped_callback(request, *callback_args, **callback_kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/asgiref/sync.py", line 444, in __call__
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     ret = await asyncio.wait_for(future, timeout=None)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/usr/lib/python3.7/asyncio/tasks.py", line 414, in wait_for
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return await fut
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/asgiref/current_thread_executor.py", line 22, in run
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     result = self.fn(*self.args, **self.kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/asgiref/sync.py", line 486, in thread_handler
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return func(*args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/contrib/admin/options.py", line 616, in wrapper
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return self.admin_site.admin_view(view)(*args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/utils/decorators.py", line 130, in _wrapped_view
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     response = view_func(request, *args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     response = view_func(request, *args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/contrib/admin/sites.py", line 232, in inner
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return view(request, *args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/utils/decorators.py", line 43, in _wrapper
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return bound_method(*args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/utils/decorators.py", line 130, in _wrapped_view
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     response = view_func(request, *args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/contrib/admin/options.py", line 1723, in changelist_view
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     response = self.response_action(request, queryset=cl.get_queryset(request))
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/contrib/admin/options.py", line 1408, in response_action
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     response = func(self, request, queryset)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/var/www/myapp/strategy/admin.py", line 42, in push
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     target.push()
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/aiohttp_csrf/__init__.py", line 102, in wrapped_handler
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return handler(*args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/var/www/myapp/strategy/models.py", line 125, in push
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     result = client.execute(query, variable_values=params)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/client.py", line 396, in execute
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     **kwargs,
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/usr/lib/python3.7/asyncio/base_events.py", line 579, in run_until_complete
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return future.result()
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/client.py", line 284, in execute_async
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     async with self as session:
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/client.py", line 658, in __aenter__
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return await self.connect_async()
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/client.py", line 638, in connect_async
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     await self.session.fetch_schema()
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/client.py", line 1253, in fetch_schema
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     parse(get_introspection_query())
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/transport/aiohttp.py", line 323, in execute
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     await raise_response_error(resp, "Not a JSON answer")
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/transport/aiohttp.py", line 306, in raise_response_error
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     raise TransportServerError(str(e), e.status) from e
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: gql.transport.exceptions.TransportServerError: 403, message='Forbidden', url=URL('http://y.y.y.y:8000/graphql')
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: [error    ] request_failed                              [django_structlog.middlewares.request] code=500 request=<ASGIRequest: POST '/admin/strategy/target/'> user_id=1
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: Internal Server Error: /admin/strategy/target/
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: Traceback (most recent call last):
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/transport/aiohttp.py", line 316, in execute
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     result = await resp.json(content_type=None)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/aiohttp/client_reqrep.py", line 1119, in json
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return loads(stripped.decode(encoding))
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/usr/lib/python3.7/json/__init__.py", line 348, in loads
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return _default_decoder.decode(s)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/usr/lib/python3.7/json/decoder.py", line 337, in decode
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     obj, end = self.raw_decode(s, idx=_w(s, 0).end())
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/usr/lib/python3.7/json/decoder.py", line 355, in raw_decode
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     raise JSONDecodeError("Expecting value", s, err.value) from None
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: During handling of the above exception, another exception occurred:
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: Traceback (most recent call last):
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/transport/aiohttp.py", line 304, in raise_response_error
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     resp.raise_for_status()
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/aiohttp/client_reqrep.py", line 1009, in raise_for_status
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     headers=self.headers,
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: aiohttp.client_exceptions.ClientResponseError: 403, message='Forbidden', url=URL('http://y.y.y.y:8000/graphql')
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: The above exception was the direct cause of the following exception:
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: Traceback (most recent call last):
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/asgiref/sync.py", line 482, in thread_handler
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     raise exc_info[1]
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/core/handlers/exception.py", line 38, in inner
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     response = await get_response(request)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/core/handlers/base.py", line 233, in _get_response_async
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     response = await wrapped_callback(request, *callback_args, **callback_kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/asgiref/sync.py", line 444, in __call__
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     ret = await asyncio.wait_for(future, timeout=None)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/usr/lib/python3.7/asyncio/tasks.py", line 414, in wait_for
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return await fut
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/asgiref/current_thread_executor.py", line 22, in run
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     result = self.fn(*self.args, **self.kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/asgiref/sync.py", line 486, in thread_handler
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return func(*args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/contrib/admin/options.py", line 616, in wrapper
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return self.admin_site.admin_view(view)(*args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/utils/decorators.py", line 130, in _wrapped_view
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     response = view_func(request, *args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     response = view_func(request, *args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/contrib/admin/sites.py", line 232, in inner
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return view(request, *args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/utils/decorators.py", line 43, in _wrapper
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return bound_method(*args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/utils/decorators.py", line 130, in _wrapped_view
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     response = view_func(request, *args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/contrib/admin/options.py", line 1723, in changelist_view
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     response = self.response_action(request, queryset=cl.get_queryset(request))
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/django/contrib/admin/options.py", line 1408, in response_action
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     response = func(self, request, queryset)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/var/www/myapp/strategy/admin.py", line 42, in push
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     target.push()
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/aiohttp_csrf/__init__.py", line 102, in wrapped_handler
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return handler(*args, **kwargs)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/var/www/myapp/strategy/models.py", line 125, in push
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     result = client.execute(query, variable_values=params)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/client.py", line 396, in execute
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     **kwargs,
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/usr/lib/python3.7/asyncio/base_events.py", line 579, in run_until_complete
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return future.result()
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/client.py", line 284, in execute_async
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     async with self as session:
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/client.py", line 658, in __aenter__
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     return await self.connect_async()
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/client.py", line 638, in connect_async
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     await self.session.fetch_schema()
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/client.py", line 1253, in fetch_schema
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     parse(get_introspection_query())
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/transport/aiohttp.py", line 323, in execute
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     await raise_response_error(resp, "Not a JSON answer")
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:   File "/home/username/.local/lib/python3.7/site-packages/gql/transport/aiohttp.py", line 306, in raise_response_error
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]:     raise TransportServerError(str(e), e.status) from e
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: gql.transport.exceptions.TransportServerError: 403, message='Forbidden', url=URL('http://y.y.y.y:8000/graphql')
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: Internal Server Error: /admin/strategy/target/ exc_info=(<class 'gql.transport.exceptions.TransportServerError'>, TransportServerError("403, message='Forbidden', url=URL('http://y.y.y.y:8000/graphql')"), <traceback object at 0x7f5d70ac8910>)
Jul 16 08:00:59 ubuntu-2cpu-4gb-de-fra1 uvicorn[129750]: INFO:     x.x.x.x:21866 - "POST /admin/strategy/target/ HTTP/1.1" 500 Internal Server Error

Answer 1 · 2022-07-20T10:13:17.000Z

Getting the cookie value

According to django csrf docs, the CSRF cookie could be sent from the backend (depending on the config):

in a crsftoken response cookie (CSRF_COOKIE_NAME parameter)
in an html response

I don't know how your backend is configured. if the cookie is sent in an html response, then you need to first make an aiohttp request and parse the html to get the cookie value.

If the cookie is sent in a response cookie, and supposing that this cookie is sent in response of a GraphQL mutation, then you could get the cookie value by setting a cookie_jar like this:

jar = aiohttp.CookieJar()
transport = AIOHTTPTransport(url="YOUR_URL", client_session_args={'cookie_jar': jar})
client = Client(transport=transport)

your_query_which_get_the_crsf_cookie = gql(
   """
        mutation ...
   """
)

result = client.execute(your_query_which_get_the_crsf_cookie)
response_cookies = jar.filter_cookies("YOUR_URL")
crsf_cookie_value = response_cookies["crsftoken"].value

Note: don't set fetch_schema_from_transport=True or the first request to the backend will be an introspection query and not your mutation request.

Setting the cookie

According to the docs above, the CRSF cookie value should be sent as a header named X-CSRFToken. So once you have the cookie value, you can set it in your subsequent requests as a header like this:

transport.headers = {"X-CSRFToken": crsf_cookie_value}
result = client.execute(your_query_which_need_a_crsf_cookie)