markhuot / craftql

A drop-in GraphQL server for Craft CMS
Other
320 stars 53 forks source link

not authorized issue #323

Open aquafun20 opened 5 years ago

aquafun20 commented 5 years ago

I'm trying to use Craft as a headless CMS system but I fail. I use 2 different domains. At the moment, I have myurl.test where my craft installation is placed. My second domain is http://localhost:8080/ where I created a vue project and want to get my data from craft.

I set up my CraftQL.php on myurl.test <?php return [ 'allowedOrigins' => [ '*' ] ];

If I try on http://localhost:8080/: const url = 'http://myurl.test/admin/actions/craftql/api'; const test = await axios.post( url, { headers: { 'X-Requested-With': 'XMLHttpRequest', 'Content-type':'application/json' }, query: '{helloWorld}' }); console.log(test)

The response is {"errors":[{"message":"Not authorized"}]}

Of course I tried it with an authorized header and different queries too but that is the simplest one.

My second try was:

`const url = 'http://aquafun.test/admin/actions/craftql/api'; const token = 'abcde'; const query = '{helloWorld}';

            const axiosCraftQL = axios.create({
                baseURL: url,
                headers: {
                    'Authorization': `bearer ${token}`,
                    'Content-type':'application/json'
                }
            });

            axiosCraftQL
                .get('', { query: query });`

The response is: {"errors":[{"message":"Syntax Error: Unexpected <EOF>","category":"graphql","locations":[{"line":1,"column":1}]}]}

If I try the create method without a token I get the same response like in my first try. I tried uppercase bearer already.

narration-sd commented 5 years ago

Your second try looks by inspection almost right -- you're getting a return that seems to indicate your header auth is correct, and that your allowedOrigins is working.

The response is talking about the query: GraphQL can't parse what it receives. In fact it's receiving basically nothing.

It's late, so just looked at a cheat sheet for axios, which could suggest that your second argument to the get isn't well-formed. It seems that to actually get your query used as a param, the call should be more like:

    .get('', { params: { query: query }}

Or, with axios, of course there are alternatives. These things work better if you take your time to be relaxed, my experience anyway, and good fortune, as I think you'll soon find it's working...

aquafun20 commented 5 years ago

Your second try looks by inspection almost right -- you're getting a return that seems to indicate your header auth is correct, and that your allowedOrigins is working.

The response is talking about the query: GraphQL can't parse what it receives. In fact it's receiving basically nothing.

It's late, so just looked at a cheat sheet for axios, which could suggest that your second argument to the get isn't well-formed. It seems that to actually get your query used as a param, the call should be more like:

    .get('', { params: { query: query }}

Or, with axios, of course there are alternatives. These things work better if you take your time to be relaxed, my experience anyway, and good fortune, as I think you'll soon find it's working...

Yes this is working, thank you! But why isn't my first try working? This was the way how I could get the data from the integrated graphQL but not with craftQL.

narration-sd commented 5 years ago

Well, the first one isn't going to work until you provide the appropriate Authorization header, is it. That's also what its reply is telling you.

Again, these things only operate as expected if you patiently provide the necessary permissions they expect. That includes not only the token, which 'not authorized' warns on, but that the token has permissions for the entities you want to query, as that will be the next step.

Might also suggest that when you post code, you can use the single or triple back-ticks (or the <> button) to format it cleanly as you have written it.

narration-sd commented 5 years ago

n.b. @aquafun - Antonio, I've deleted what was the last comment -- it was probably mis-direction on my part, just an insight that might apply elsewhere.

I hope you got all forms of the access working with matched credentials, and are on your way with cheer now.

The other matters I've taken up directly with Craft via @andris-sevcenko etc., and would just mention here for others learning from your issue that Craft's internal Gql is often a bit different, beginning with the I'm-alive query being { ping } instead of `{ helloWorld }'.

As well it has a 'Public Schema' which can let you connect for this without necessarily providing authentication, but by proper default also won't let you do any other queries -- that's where private Schemas and tokens for them come in.

For this and quite a few differences in elements of queries, it's surely important then to read the documentation with care if coming from CraftQL experience.

This is what I was getting at with the deleted last reply, but realized also later that these points probably didn't have anything to do with your experience this time -- cheers.

Clive

daltonrooney commented 4 years ago

I just struggled with a similar issue. It took me a while to realize that it only happened when I was not logged in, and it only happened on my staging server, but not my local server.

It turns out my authorization header was not being passed to PHP. I tweaked my .htaccess file, as in this example, and that seems to have fixed the problem. Hope that helps if anyone else is having a similar issue.