graphql subject

[MalinOsc]

IMPORTANT!!! graphql

Hello! Issue from GritLab: currently we all are blocked of using graphql API from external programs. it only works from the graphiql client as it already has the access token in use. and we dont have that if we for example just run a curl command it wont work.

[davhojt]

Hey @MalinOsc

We'll merge the updated project soon, which will describes a new requirement to add a login page - allowing you to obtain a token.

You can see it here ahead of time however: https://github.com/01-edu/public/blob/db453991451a3e7ed8f8062f86174adc6e0321d6/subjects/graphql/README.md

[mathisen99]

hi still problems with CORS policy. do we realy need to make headers to go around this. sounds like bad solusion for students. https://imgur.com/a/OFin2EW

[davhojt]

Hey @mathisen99 Don't hesitate to reopen an issue. As we don't normally monitor comments on closed issues.

We'll look at that now.

[davhojt]

Hey @mathisen99. Normally I don't like to give too many clues 😅. But for this, I'd like to make sure things are working as expected.

Your URL has a double forward-slash. May I ask if that is a typo by you, or did you copy that explicitly from the subject?

[davhojt]

I'm just asking because we have a ((DOMAIN)) variable, which is replaced with your schools domain. But I cannot see how it renders in your context.

[mathisen99]

sorry for typo but it is same with corr

ect url.

[danglam88]

@davhojt mathisen99 has already updated a new picture with a correct URL in his last comment.

[davhojt]

@mathisen99 May I ask if you have a Access-Control-Allow-Origin header in the response? And if so, what its value is?

[danglam88]

@davhojt I used "*" as a value for "Access-Control-Allow-Origin" in the header, and I got an error as in the attached picture.

[davhojt]

@danglam88 May I ask, are you on your schools network? I.e. inside the campus?

[danglam88]

@davhojt Yes, I'm currently inside the campus.

[davhojt]

@danglam88 If you make a request to https://content.01-edu.org/api/auth/signin instead of https://01.gritlab.ax/api/auth/signin, do you still get a CORS error?

I'm just trying to establish where the issue lies.

[danglam88]

@davhojt I changed the URL as you suggested, and still kept "Access-Control-Allow-Origin" value as "*", then here is the error that I got.

[lvisgrit]

Hi @davhojt, has this issue been fixed? We hope we can start the project today.

[davhojt]

@lvisgrit @danglam88 @mathisen99 We're looking into that now. It is likely the preflight OPTIONS call by the browser that causes the issue. I.e. the POST request is not sent by the browser. We're working hard on a solution, and will contact you back shortly.

[mathisen99]

@davhojt yes, it works fine with golang to get the token like this.

package main

import (
    "bytes"
    "encoding/base64"
    "errors"
    "fmt"
    "io/ioutil"
    "net/http"
)

type LoginCredentials struct {
    Username string `json:"username"`
    Password string `json:"password"`
}

func encodeCredentials(credentials LoginCredentials) string {
    credStr := fmt.Sprintf("%s:%s", credentials.Username, credentials.Password)
    return base64.StdEncoding.EncodeToString([]byte(credStr))
}

func signin(credentials LoginCredentials) (string, error) {
    client := &http.Client{}

    data := bytes.NewBuffer([]byte{})
    req, err := http.NewRequest("POST", "https://01.gritlab.ax/api/auth/signin", data)
    if err != nil {
        return "", err
    }

    encodedCredentials := encodeCredentials(credentials)
    req.Header.Set("Authorization", "Basic "+encodedCredentials)

    resp, err := client.Do(req)
    if err != nil {
        return "", err
    }
    defer resp.Body.Close()

    if resp.StatusCode != http.StatusOK {
        body, _ := ioutil.ReadAll(resp.Body)
        return "", errors.New(string(body))
    }

    token, err := ioutil.ReadAll(resp.Body)
    if err != nil {
        return "", err
    }

    fmt.Println("Token:", string(token))
    return string(token), nil
}

func main() {
    // Replace with your credentials
    credentials := LoginCredentials{
        Username: "YOUR_USERNAME",
        Password: "YOUR_PASSWORD",
    }

    jwt, err := signin(credentials)
    if err != nil {
        fmt.Println("Error logging in:", err)
        return
    }
    fmt.Println("JWT obtained:", jwt)
}

[MalekLahbib]

Hello, I'm a student at zone01normandie in France, we have the same CORS issue due to the "options" request made by the browser. I saw that the server have to support that request and send an http.statusok response. waiting for your response as we are many blocked with that problem. P.S: with postman desktop, my post request had the token

[danglam88]

@davhojt We’ve managed to make our codes working with the current setup. Hence, please don’t fix anything more from now on. We don’t want to start our projects from scratch again after your fixes. You can leave everything as it is right now, please! Thanks very much for your time and effort on this. We really appreciate it!

[MalekLahbib]

hello, how did you do to make your code working? is it using javascript? can you share the solution please?

[danglam88]

@MalekLahbib Yes, my code is still mostly in JavaScript, except for the token part which has been done in Go exactly as in the comment of mathisen99 above. After having the token, I set the browser cookie value to the token value and continue with the graphql queries normally using JavaScript. Note that you must set the following header whenever you make a fetch to the graphql API endpoint: "Authorization": `Bearer ${token}` with ${token} as the token value.

[MalekLahbib]

@ danglam88 how are you gonna deploy it as it's asked? do you have an easy solution for go files?

[danglam88]

@MalekLahbib It's not possible to deploy it anymore with our current school network setup. Recently they've decided to block all the traffics from the external network and we can only access the graphql database within the school internal network. I still don't know what would be their solution for this...

[MalekLahbib]

@davhojt is the site https://zone01normandie.org/ for example using the same api for authentication and JWToken as us?

[davhojt]

Browsers make a "preflight" request with an OPTIONS HTTP method, before the actual desired call (POST, GET...) is made. Reason: https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS.

The headers which relate to CORS were handled in the desired call, but not in the OPTIONS call. We've fixed that, and are testing it now ahead of releasing the fix.

[davhojt]

The CORS error related to OPTIONS HTTP requests has been resolved.