No permissions with auth token
sistemas-y-redes opened this issue · comments
So, I have these 2 plugins installed in my Wordpress site
First, I do this query with my username and password to get my authToken, and it works well, I get my token.
Next, I add that token to the authorization header with "Bearer ".
And now I try to do a query to get a list of customers, as an example, and it gives me an empty array, same thing happens with orders.
If I try to list a single customer, I get an error saying I am not authorized, even though I am an admin.
Also, it is not like the server doesn't get the Authorization header, because if I change the Bearer to a wrong token (like changing a letter), it gives me a token error, which makes sense.
Any idea why this happens?
I am facing same issue. Like when I use token for admin user and then run:
query userQuery {
user(id: "xxx") {
firstName
id
jwtAuthToken
jwtAuthExpiration
jwtRefreshToken
jwtUserSecret
isJwtAuthSecretRevoked
}
}My errors has this:
{
"errors": [
{
"message": "Only the user requesting a token can get a token issued for them",
"extensions": {
"category": "user"
},
"locations": [
{
"line": 5,
"column": 5
}
],
"path": [
"user",
"jwtAuthToken"
]
},
{
"message": "Only the user requesting a token can get a token issued for them",
"extensions": {
"category": "user"
},
"locations": [
{
"line": 7,
"column": 5
}
],
"path": [
"user",
"jwtRefreshToken"
]
}
]
}EDIT:
I got token off graphiql and ran user query from postman so the error popped up. Then I performed LoginUser mutation on postman, got the right token and used it in user query. Resolved the error but I get null
{
"data": {
"user": null
}
}
The token value in X-JWT-Auth is different than the Bearer token used with request.
hi @sistemas-y-redes @kpratik2015 did you have any luck with this issue? I am seeing the exact same issue.
hi @sistemas-y-redes @kpratik2015 did you have any luck with this issue? I am seeing the exact same issue.
Hi buddy, turns out my issue was caused by Jetpack plugin. A little more detail in this issue -> wp-graphql/wp-graphql#1487
Thanks for the reply @kpratik2015
I added WPGraphQL CORS but no luck. My WP installation is a basic one no extra plugins as Jetpack or Advanced Custom Fields, or Custom Post Type UI
My installed plugins are
- GraphQL API for WordPress. Version
0.13.1updated to latest 0.13.3 - WPGraphQL request CORS Headers. Version 1.1.0 (I recently added based on your issue)
- JWT Authentication for WPGraphQL. Version 0.4.1
I tested like this. Using the login mutation, this works as expected and it returned the authToken
mutation LoginUser {
login( input: {
clientMutationId: "login",
username: "admin",
password: "not-my-real-pass"
} ) {
authToken
user {
id
name
}
}
}
Then I used that authToken and execute this:
{
user(id: "not-my-user-id") {
username
}
users {
nodes {
username
}
}
}
And I got a HTTP/1.1 403 Forbidden. Raw log here:
POST /graphql HTTP/1.1
Authorization: Bearer not-my-atuh-token
Content-Type: application/json
User-Agent: PostmanRuntime/7.26.5
Accept: */*
Cache-Control: no-cache
Postman-Token: dcee0c25-e19f-40e7-bbef-2daad443a252
Host: not-my-host-server
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 118
{"query":"{\n user(id: \"not-my-user-id\") {\n username\n }\n users {\n nodes {\n username\n }\n }\n}\n"}
HTTP/1.1 403 Forbidden
Connection: keep-alive
Content-Length: 160
Access-Control-Allow-Headers: Authorization, Content-Type, X-JWT-Auth, X-JWT-Refresh
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-JWT-Refresh
Access-Control-Max-Age: 600
Content-Encoding: gzip
Content-Type: application/json; charset=UTF-8
Server: nginx
Strict-Transport-Security: max-age=300
X-Content-Type-Options: nosniff
X-Hacker: If you're reading this, you should visit github.com/wp-graphql and contribute!
Date: Sun, 11 Oct 2020 19:55:34 GMT
X-Served-By: cache-mdw17363-MDW, cache-lax10637-LGB
X-Cache: MISS, MISS
X-Cache-Hits: 0, 0
X-Timer: S1602446134.675926,VS0,VE420
Vary: Accept-Encoding
X-Robots-Tag: noindex
Age: 0
Accept-Ranges: bytes
Via: 1.1 varnish
{"errors":[{"message":"Internal server error","extensions":{"category":"internal"},"locations":[{"line":2,"column":4}],"path":["user"]},{"message":"Internal server error","extensions":{"category":"internal"},"locations":[{"line":5,"column":3}],"path":["users"]}],"data":{"user":null,"users":null}}
I tested like this. Using the login mutation, this works as expected and it returned the authToken
mutation LoginUser { login( input: { clientMutationId: "login", username: "admin", password: "not-my-real-pass" } ) { authToken user { id name } } }
Then I used that authToken and execute this:
{ user(id: "not-my-user-id") { username } users { nodes { username } } }
And I got a HTTP/1.1 403 Forbidden. Raw log here:
POST /graphql HTTP/1.1 Authorization: Bearer not-my-atuh-token Content-Type: application/json User-Agent: PostmanRuntime/7.26.5 Accept: */* Cache-Control: no-cache Postman-Token: dcee0c25-e19f-40e7-bbef-2daad443a252 Host: not-my-host-server Accept-Encoding: gzip, deflate, br Connection: keep-alive Content-Length: 118 {"query":"{\n user(id: \"not-my-user-id\") {\n username\n }\n users {\n nodes {\n username\n }\n }\n}\n"} HTTP/1.1 403 Forbidden Connection: keep-alive Content-Length: 160 Access-Control-Allow-Headers: Authorization, Content-Type, X-JWT-Auth, X-JWT-Refresh Access-Control-Allow-Origin: * Access-Control-Expose-Headers: X-JWT-Refresh Access-Control-Max-Age: 600 Content-Encoding: gzip Content-Type: application/json; charset=UTF-8 Server: nginx Strict-Transport-Security: max-age=300 X-Content-Type-Options: nosniff X-Hacker: If you're reading this, you should visit github.com/wp-graphql and contribute! Date: Sun, 11 Oct 2020 19:55:34 GMT X-Served-By: cache-mdw17363-MDW, cache-lax10637-LGB X-Cache: MISS, MISS X-Cache-Hits: 0, 0 X-Timer: S1602446134.675926,VS0,VE420 Vary: Accept-Encoding X-Robots-Tag: noindex Age: 0 Accept-Ranges: bytes Via: 1.1 varnish {"errors":[{"message":"Internal server error","extensions":{"category":"internal"},"locations":[{"line":2,"column":4}],"path":["user"]},{"message":"Internal server error","extensions":{"category":"internal"},"locations":[{"line":5,"column":3}],"path":["users"]}],"data":{"user":null,"users":null}}
Doesn't seems like the server is getting the Authorization header. Otherwise it would put X-JWT-Auth and X-JWT-Refresh in response. That's my best guess.
Hi!
We solved our issue changing the auth method. Now we use Basic Auth for our app. There's a plugin called JSON Basic Authentication that gets the job done.
We are using Axios for POST request, here's an example code:
return axios
.post(pageurl + "/graphql", {
query: `
query {
orders (first:20) {
pageInfo{
startCursor
endCursor
hasNextPage
hasPreviousPage
}
nodes {
id
orderId
needsPayment
status
total
}
}
}
`
}, { auth: {username: 'username', password: 'password'} })
@sistemas-y-redes how do you make such query with client (e.g altair)
I'm also getting 403 status returned when making GraphQL Requests with a JWT Token, however, the Create/Delete Mutations are still working!
And the Token works too because if I remove it, or send some other random string, the Mutations don't work.
I'm also getting
403status returned when making GraphQL Requests with a JWT Token, however, the Create/Delete Mutations are still working!And the Token works too because if I remove it, or send some other random string, the Mutations don't work.
try to put your define GRAPHQL_JWT_AUTH_SECRET_KEY before line require_once ABSPATH . 'wp-settings.php'; in wp-config.php file
So, I have these 2 plugins installed in my Wordpress site
First, I do this query with my username and password to get my authToken, and it works well, I get my token.
Next, I add that token to the authorization header with "Bearer ".
And now I try to do a query to get a list of customers, as an example, and it gives me an empty array, same thing happens with orders.
If I try to list a single customer, I get an error saying I am not authorized, even though I am an admin.
Also, it is not like the server doesn't get the Authorization header, because if I change the Bearer to a wrong token (like changing a letter), it gives me a token error, which makes sense.
Any idea why this happens?
try to put your define GRAPHQL_JWT_AUTH_SECRET_KEY before line require_once ABSPATH . 'wp-settings.php'; in wp-config.php file
Is there any updates to this issue? I have tried manually doing the calls with postman and I always get viewer:null.
Additional information:
Every other plugin is deactivated. Doing
query { viewer { email firstName lastName } }
In the GraphQL it is successful. Bearer token is included in the request.
I'm having the same issue :(
Did anyone solve this? How should tokens be passed? Which header?