Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Participant

how to set :in_app on graphql query

i've been working all day on the problem described here: unfortunately, i'm not a ruby developer, so it's slow going reading the code, but it seems like doing a graphql query with a token is different from using a web login. it all seems to boil down to the in_app? function in application_controller.rb . anyone know how to make that function go true when using a graphql query with a token?



0 Kudos
2 Replies
Community Champion


Not all functionality through the REST API is supplied through GraphQL. This is one of those things. If you use the REST API, you will get an UUID for an attachment, which is the verifier code. Canvas is pushing GraphQL and says it's the future of API and people should start using it, but the support isn't there yet. The GraphQL stuff says that if you find something that isn't supported to let them know.

The in-app is part of the request forgery prevention process.  Best I could find, it looks for an existing session. I will say, though, that I copied the entire request as a fetch command, then switched to a browser that wasn't logged in and executed it. It threw all kinds of CORS errors.

I then did a copy as cURL (bash) and went to a bash shell and executed it and it worked and included the verifier. I removed the cookie header and I got that I was unauthorized. If I remove the x-csrf-token header, then it is an unprocessable entity. I got it to work with these headers: x-csrf-token, cookie, content-type, accept

I then played around with the cookie to see what parts of it were absolutely necessary. It turned out that only two parts were: canvas_session and _csrf_token

Your question is how to get those without actually logging into Canvas. My answer is that it's a lot easier to use the REST API for this one since what you want isn't supported through GraphQL. Then ask Instructure to add support for the uuid on attachments to graphql.

If I absolutely had to have those headers, I could perform a headless login using puppeteer or selenium.

Community Participant

nice! that did it. thank you! i was trying something along those lines, but i didn't remove the token i had been using. thank you!

i had written it all using the REST API but i need to grab comment attachments, and it doesn't look like you can get the comment attachments for a submission using the REST API, but it is available using graphql (well except that the URLs aren't useful...)