csrf_exempt the api.

src/bornhack/urls.py

@@ -1,6 +1,7 @@
 from django.urls import include, path
 from django.contrib import admin
 from django.conf import settings
+from django.views.decorators.csrf import csrf_exempt
 
 from allauth.account.views import (
     LoginView,
@@ -66,7 +67,9 @@ urlpatterns = [
     ),
     path('accounts/', include('allauth.urls')),
     path('admin/', admin.site.urls),
-    path('api/', GraphQLView.as_view(graphiql=True)),
+
+    # We don't need CSRF checks for the API
+    path('api/', csrf_exempt(GraphQLView.as_view(graphiql=True))),
 
     path(
         'camps/',