Update authentication to include JWT-cookie

[Diggitysc]

Related to #550

JWT in local storage is not secure. I recommend updating the authentication page here: https://www.howtographql.com/graphql-python/4-authentication/ Discussed in more depth here, graphql-python/graphene-django#593 (comment)

The relevant points: adding the library https://github.com/flavors/django-graphql-jwt and the code:

from graphql_jwt.decorators import jwt_cookie

 
urlpatterns = [
    path('graphql/', jwt_cookie(GraphQLView.as_view(graphiql=True))),
]

This creates a JWT token in a cookie named "JWT" allowing the browser to act as a go-between for secure authentication between js client/backend.

django-graphql-jwt then has decorators to provide security:
https://django-graphql-jwt.domake.io/en/stable/decorators.html

In this way, a javascript front end can securely access a backend data without exposure to XSS (CORS/CSRF settings required).

[jonatasbaldin]

Hey there!

Thanks so much for this PR :D

I'm a bit busy lately to make big changes to the tutorial, would you mind helping us out with a PR?

Thanks!

[Diggitysc]

Hey jonatasbaldin

After further discussion with some other parties, the solution discussed above would only protect any data you are storing in the cookie itself (in this case JWT). Malicious users with access to XSS are still able to execute as the valid users browser meaning the only real prevention is to not have an XSS vulnerability from the get go.

Once I am done with a few things on my end in a month or two I will cycle back and help in any way I am able though.

Thank you for your site, it is very helpful

[jonatasbaldin]

Thanks for your help and feedback, I appreciate it :)