jamesedmonston / graphql-authentication

GraphQL authentication for your headless Craft CMS applications.
Other
28 stars 22 forks source link

JWT Defaulting to the Wrong (Public) Schema? #155

Open jacobgraf opened 1 month ago

jacobgraf commented 1 month ago

I use multiple schemas. I've specified what schema to use in the "Multiple Schemas" section of the plugin settings.

I was getting a "Missing Authorization Header" and finally found out that was due to having my Public Schema disabled, so I enabled that and then I was able to run an authenticate mutation and get a JWT back. I think used that authorization token as follows per the docs.

Authorization: JWT ${token} using the jwt value returned from the authenticate mutation response.

In the Craft CP, I see the refresh token entry created, and it's showing the correct schema for that token.

When I try to query for section entries that are enabled in that schema, it says "Schema doesn’t have access to the “My Site” site." which is my default site. When I run the same in GraphiQL with the "Public" schema selected, I get the same error.

So, it seems to be defaulting to the public schema, and not actually using the one defined in your plugin settings.

Any idea where to go from here? I'm pulling my hair out. 😁

jacobgraf commented 1 month ago

@jamesedmonston

After further testing and troubleshooting, I’ve encountered some unexpected behavior related to the Public Schema. Specifically, if the Public Schema is disabled, or enabled without any permissions, things don’t seem to work as intended. When I enable “Query for elements in the primary site,” everything functions correctly. However, if that permission isn’t granted, I get an error indicating the Schema doesn’t have access to the Primary Site, even though the JWT I’m using is linked to a schema that isn’t the primary site.

Is there a technical reason for this behavior, or perhaps some documentation that outlines what must be enabled in the Public Schema to ensure the plugin functions correctly?

After enabling primary site querying in the Public Schema, everything worked as expected. Using the Viewer query, I verified that the JWT authenticated the correct user. I also tested toggling permissions for the specific section entries I’m working with in the appropriate schema, and observed the expected changes in permissions in my test queries. This seems to indicate that the JWT is correctly hitting the intended user and the schema referenced matches the plugin settings.

Do you have any insights into why this might be happening?

jpcarpenter commented 1 month ago

Which version are you on? I'm on v3.0.0-RC3, and also hit up against this error:

I was getting a "Missing Authorization Header" and finally found out that was due to having my Public Schema disabled

I think the only difference between your setup and mine is that I'm querying against a private schema instead of the public schema, but in order to get anything working while querying the private schema, I had to have the public schema enabled, with the "Query for elements in the “My Website” site" checked ON.