@ben_reed
Not all functionality through the REST API is supplied through GraphQL. This is one of those things. If you use the REST API, you will get an UUID for an attachment, which is the verifier code. Canvas is pushing GraphQL and says it's the future of API and people should start using it, but the support isn't there yet. The GraphQL stuff says that if you find something that isn't supported to let them know.
The in-app is part of the request forgery prevention process. Best I could find, it looks for an existing session. I will say, though, that I copied the entire request as a fetch command, then switched to a browser that wasn't logged in and executed it. It threw all kinds of CORS errors.
I then did a copy as cURL (bash) and went to a bash shell and executed it and it worked and included the verifier. I removed the cookie header and I got that I was unauthorized. If I remove the x-csrf-token header, then it is an unprocessable entity. I got it to work with these headers: x-csrf-token, cookie, content-type, accept
I then played around with the cookie to see what parts of it were absolutely necessary. It turned out that only two parts were: canvas_session and _csrf_token
Your question is how to get those without actually logging into Canvas. My answer is that it's a lot easier to use the REST API for this one since what you want isn't supported through GraphQL. Then ask Instructure to add support for the uuid on attachments to graphql.
If I absolutely had to have those headers, I could perform a headless login using puppeteer or selenium.
