wp-graphql/wp-graphql-jwt-authentication

No permissions with auth token

sistemas-y-redes opened this issue · 14 comments

So, I have these 2 plugins installed in my Wordpress site
image
image
First, I do this query with my username and password to get my authToken, and it works well, I get my token.
image
Next, I add that token to the authorization header with "Bearer ".
image
And now I try to do a query to get a list of customers, as an example, and it gives me an empty array, same thing happens with orders.
image
image
If I try to list a single customer, I get an error saying I am not authorized, even though I am an admin.
image
Also, it is not like the server doesn't get the Authorization header, because if I change the Bearer to a wrong token (like changing a letter), it gives me a token error, which makes sense.
image

Any idea why this happens?

I am facing same issue. Like when I use token for admin user and then run:

query userQuery {
  user(id: "xxx") {
    firstName
    id
    jwtAuthToken
    jwtAuthExpiration
    jwtRefreshToken
    jwtUserSecret
    isJwtAuthSecretRevoked
  }
}

My errors has this:

{
"errors": [
        {
            "message": "Only the user requesting a token can get a token issued for them",
            "extensions": {
                "category": "user"
            },
            "locations": [
                {
                    "line": 5,
                    "column": 5
                }
            ],
            "path": [
                "user",
                "jwtAuthToken"
            ]
        },
        {
            "message": "Only the user requesting a token can get a token issued for them",
            "extensions": {
                "category": "user"
            },
            "locations": [
                {
                    "line": 7,
                    "column": 5
                }
            ],
            "path": [
                "user",
                "jwtRefreshToken"
            ]
        }
    ]
}

EDIT:

I got token off graphiql and ran user query from postman so the error popped up. Then I performed LoginUser mutation on postman, got the right token and used it in user query. Resolved the error but I get null

{
    "data": {
        "user": null
    }
}

image

The token value in X-JWT-Auth is different than the Bearer token used with request.

hi @sistemas-y-redes @kpratik2015 did you have any luck with this issue? I am seeing the exact same issue.

hi @sistemas-y-redes @kpratik2015 did you have any luck with this issue? I am seeing the exact same issue.

Hi buddy, turns out my issue was caused by Jetpack plugin. A little more detail in this issue -> wp-graphql/wp-graphql#1487

Thanks for the reply @kpratik2015

I added WPGraphQL CORS but no luck. My WP installation is a basic one no extra plugins as Jetpack or Advanced Custom Fields, or Custom Post Type UI

My installed plugins are

  • GraphQL API for WordPress. Version 0.13.1 updated to latest 0.13.3
  • WPGraphQL request CORS Headers. Version 1.1.0 (I recently added based on your issue)
  • JWT Authentication for WPGraphQL. Version 0.4.1

I tested like this. Using the login mutation, this works as expected and it returned the authToken

mutation LoginUser {
  login( input: {
    clientMutationId: "login",
    username: "admin",
    password: "not-my-real-pass"
  } ) {
    authToken
    user {
      id
      name
    }
  }
}

image

Then I used that authToken and execute this:

{
   user(id: "not-my-user-id") {
    username
  }
  users {
    nodes {
      username
    }
  }
}

image
image

And I got a HTTP/1.1 403 Forbidden. Raw log here:

POST /graphql HTTP/1.1
Authorization: Bearer not-my-atuh-token
Content-Type: application/json
User-Agent: PostmanRuntime/7.26.5
Accept: */*
Cache-Control: no-cache
Postman-Token: dcee0c25-e19f-40e7-bbef-2daad443a252
Host: not-my-host-server
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 118
{"query":"{\n   user(id: \"not-my-user-id\") {\n    username\n  }\n  users {\n    nodes {\n      username\n    }\n  }\n}\n"}
HTTP/1.1 403 Forbidden
Connection: keep-alive
Content-Length: 160
Access-Control-Allow-Headers: Authorization, Content-Type, X-JWT-Auth, X-JWT-Refresh
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-JWT-Refresh
Access-Control-Max-Age: 600
Content-Encoding: gzip
Content-Type: application/json; charset=UTF-8
Server: nginx
Strict-Transport-Security: max-age=300
X-Content-Type-Options: nosniff
X-Hacker: If you're reading this, you should visit github.com/wp-graphql and contribute!
Date: Sun, 11 Oct 2020 19:55:34 GMT
X-Served-By: cache-mdw17363-MDW, cache-lax10637-LGB
X-Cache: MISS, MISS
X-Cache-Hits: 0, 0
X-Timer: S1602446134.675926,VS0,VE420
Vary: Accept-Encoding
X-Robots-Tag: noindex
Age: 0
Accept-Ranges: bytes
Via: 1.1 varnish
{"errors":[{"message":"Internal server error","extensions":{"category":"internal"},"locations":[{"line":2,"column":4}],"path":["user"]},{"message":"Internal server error","extensions":{"category":"internal"},"locations":[{"line":5,"column":3}],"path":["users"]}],"data":{"user":null,"users":null}}

I tested like this. Using the login mutation, this works as expected and it returned the authToken

mutation LoginUser {
  login( input: {
    clientMutationId: "login",
    username: "admin",
    password: "not-my-real-pass"
  } ) {
    authToken
    user {
      id
      name
    }
  }
}

image

Then I used that authToken and execute this:

{
   user(id: "not-my-user-id") {
    username
  }
  users {
    nodes {
      username
    }
  }
}

image
image

And I got a HTTP/1.1 403 Forbidden. Raw log here:

POST /graphql HTTP/1.1
Authorization: Bearer not-my-atuh-token
Content-Type: application/json
User-Agent: PostmanRuntime/7.26.5
Accept: */*
Cache-Control: no-cache
Postman-Token: dcee0c25-e19f-40e7-bbef-2daad443a252
Host: not-my-host-server
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 118
{"query":"{\n   user(id: \"not-my-user-id\") {\n    username\n  }\n  users {\n    nodes {\n      username\n    }\n  }\n}\n"}
HTTP/1.1 403 Forbidden
Connection: keep-alive
Content-Length: 160
Access-Control-Allow-Headers: Authorization, Content-Type, X-JWT-Auth, X-JWT-Refresh
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-JWT-Refresh
Access-Control-Max-Age: 600
Content-Encoding: gzip
Content-Type: application/json; charset=UTF-8
Server: nginx
Strict-Transport-Security: max-age=300
X-Content-Type-Options: nosniff
X-Hacker: If you're reading this, you should visit github.com/wp-graphql and contribute!
Date: Sun, 11 Oct 2020 19:55:34 GMT
X-Served-By: cache-mdw17363-MDW, cache-lax10637-LGB
X-Cache: MISS, MISS
X-Cache-Hits: 0, 0
X-Timer: S1602446134.675926,VS0,VE420
Vary: Accept-Encoding
X-Robots-Tag: noindex
Age: 0
Accept-Ranges: bytes
Via: 1.1 varnish
{"errors":[{"message":"Internal server error","extensions":{"category":"internal"},"locations":[{"line":2,"column":4}],"path":["user"]},{"message":"Internal server error","extensions":{"category":"internal"},"locations":[{"line":5,"column":3}],"path":["users"]}],"data":{"user":null,"users":null}}

Doesn't seems like the server is getting the Authorization header. Otherwise it would put X-JWT-Auth and X-JWT-Refresh in response. That's my best guess.

Hi!
We solved our issue changing the auth method. Now we use Basic Auth for our app. There's a plugin called JSON Basic Authentication that gets the job done.
We are using Axios for POST request, here's an example code:

return axios
      .post(pageurl + "/graphql", {
        query: `
          query {
            orders (first:20) {
              pageInfo{
                startCursor
                endCursor
                hasNextPage
                hasPreviousPage
              }
              nodes {
                  id
                  orderId
                  needsPayment
                  status
                  total
              }
            }
          }
      `
      }, { auth: {username: 'username', password: 'password'} })

@sistemas-y-redes how do you make such query with client (e.g altair)

I'm also getting 403 status returned when making GraphQL Requests with a JWT Token, however, the Create/Delete Mutations are still working!

And the Token works too because if I remove it, or send some other random string, the Mutations don't work.

I'm also getting 403 status returned when making GraphQL Requests with a JWT Token, however, the Create/Delete Mutations are still working!

And the Token works too because if I remove it, or send some other random string, the Mutations don't work.

try to put your define GRAPHQL_JWT_AUTH_SECRET_KEY before line require_once ABSPATH . 'wp-settings.php'; in wp-config.php file

So, I have these 2 plugins installed in my Wordpress site
image
image
First, I do this query with my username and password to get my authToken, and it works well, I get my token.
image
Next, I add that token to the authorization header with "Bearer ".
image
And now I try to do a query to get a list of customers, as an example, and it gives me an empty array, same thing happens with orders.
image
image
If I try to list a single customer, I get an error saying I am not authorized, even though I am an admin.
image
Also, it is not like the server doesn't get the Authorization header, because if I change the Bearer to a wrong token (like changing a letter), it gives me a token error, which makes sense.
image

Any idea why this happens?

try to put your define GRAPHQL_JWT_AUTH_SECRET_KEY before line require_once ABSPATH . 'wp-settings.php'; in wp-config.php file

Is there any updates to this issue? I have tried manually doing the calls with postman and I always get viewer:null.

Additional information:

Every other plugin is deactivated. Doing
query { viewer { email firstName lastName } }
In the GraphQL it is successful. Bearer token is included in the request.

I'm having the same issue :(

Did anyone solve this? How should tokens be passed? Which header?