You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When querying the graphQL endpoint not as a logged-in user via GraphQL Authentication, but just using a Craft GraphQL schema token (via Authorization: Bearer ....), GraphQL Authentication is still applying the field rules but applying rules from the wrong Schema (seems to be always using Public).
I would expect GraphQL Authentication to either ignore requests that aren't coming through the JWT auth, or choose the correct Schema.
Craft Version
Craft Pro 4.3.6.1 (latest at this time)
GraphQL Authentication version
2.3.0 (latest at this time)
To reproduce:
I've created a reproduction repo with instructions on how to recreate this bug - it's pretty straight forward.
To recreate on your own setup:
Create a GraphQL Schema that has access to entries with the field in question
In GraphQL Authentication -> Settings -> Fields, set the field to Private with the Public Schema, but Query/Mutate in the new Schema
Test that the query works in GraphiQL
Make a request to the GraphQL endpoint querying that field with a Authorization: Bearer {token} (not the GraphQL Authentication JWT header)
You'll get an error response like this:
{
"errors": [
{
"message": "User doesn't have permission to access requested field(s)"
}
]
}
The text was updated successfully, but these errors were encountered:
Problem:
When querying the graphQL endpoint not as a logged-in user via GraphQL Authentication, but just using a Craft GraphQL schema token (via
Authorization: Bearer ....
), GraphQL Authentication is still applying the field rules but applying rules from the wrong Schema (seems to be always using Public).I would expect GraphQL Authentication to either ignore requests that aren't coming through the JWT auth, or choose the correct Schema.
Craft Pro 4.3.6.1
(latest at this time)2.3.0
(latest at this time)To reproduce:
I've created a reproduction repo with instructions on how to recreate this bug - it's pretty straight forward.
To recreate on your own setup:
Authorization: Bearer {token}
(not the GraphQL Authentication JWT header)You'll get an error response like this:
The text was updated successfully, but these errors were encountered: