0

I need to understanding if this is a bug or expected behaviour I'm using Postman for my testings.

To get customer data first need to generate token:

 mutation generateCustomerToken($email: String!, $password: String!) { generateCustomerToken(email: $email, password: $password) { token } }

To request basic customer information I use the following post:

{ customer { id firstname lastname suffix email } }

It also state that you need to pass the token in the header but I when I request customer information I'm not even passing in the header as Authorization Bearer token and the data is returned anyway. When I check cookies I can see Set-Cookie: PHPSESSID=xxxxxxxxx.... as well as Set-Cookie: private_content_version=xxxxxx. Now when I delete Set-Cookie: PHPSESSID=xxxxxxxxx.... then when I try to call request customer information it returns "message": "The current customer isn't authorized.", which I would expect if the Bearer token was not passed in the header but it appear that is using some sort or cookie session to store this token when is first generated, subsequently requesting for customer information is being requested without the Bearer token in the header, I'm not sure this is normal in graphql requests, does anyone have any idea? Thanks

Improve this question

1 Answer 1

Reset to default
0

Seems like the GraphQL Session Cookies are not disabled, so that the PHPSESSID session cookie is found in the request headers.

"Session Cookies are enabled by default."
Refer: GraphQL authorization

check whether its disabled

bin/magento config:show graphql/session/disable

If not it's recommended to disable this

bin/magento config:set graphql/session/disable 1
Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.