File: 0.243.0.md

package info (click to toggle)
strawberry-graphql 0.306.0-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 18,176 kB
  • sloc: javascript: 178,052; python: 65,643; sh: 33; makefile: 25
file content (53 lines) | stat: -rw-r--r-- 2,110 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
---
title: 0.243.0 Breaking Changes
slug: breaking-changes/0.243.0
---

# v0.243.0 Breaking Changes

Release v0.243.0 comes with two breaking changes regarding multipart file
uploads and Django CSRF protection.

## Multipart uploads disabled by default

Previously, support for uploads via the
[GraphQL multipart request specification](https://github.com/jaydenseric/graphql-multipart-request-spec)
was enabled by default. This implicitly required Strawberry users to consider
the
[security implications outlined in the GraphQL Multipart Request Specification](https://github.com/jaydenseric/graphql-multipart-request-spec/blob/master/readme.md#security).
Given that most Strawberry users were likely not aware of this, we're making
multipart file upload support stictly opt-in via a new
`multipart_uploads_enabled` view settings.

To enable multipart upload support for your Strawberry view integration, please
follow the updated integration guides and enable appropriate security
measurements for your server.

## Django CSRF protection enabled

Previously, the Strawberry Django view integration was internally exempted from
Django's built-in CSRF protection (i.e, the `CsrfViewMiddleware` middleware).
While this is how many GraphQL APIs operate, implicitly addded exemptions can
lead to security vulnerabilities. Instead, we delegate the decision of adding an
CSRF exemption to users now.

Note that having the CSRF protection enabled on your Strawberry Django view
potentially requires all your clients to send an CSRF token with every request.
You can learn more about this in the official Django
[Cross Site Request Forgery protection documentation](https://docs.djangoproject.com/en/dev/ref/csrf/).

To restore the behaviour of the integration before this release, you can add the
`csrf_exempt` decorator provided by Django yourself:

```python
from django.urls import path
from django.views.decorators.csrf import csrf_exempt

from strawberry.django.views import GraphQLView

from api.schema import schema

urlpatterns = [
    path("graphql/", csrf_exempt(GraphQLView.as_view(schema=schema))),
]
```