GraphQL login mutation error

tforster · October 29, 2020, 6:02pm

Almost first step on https://strapi.io/documentation/v3.x/plugins/graphql.html is failing with an error. I have confirmed the credentials are correct.

mutation {
  login(input: { identifier: "redacted", password: "redacted" }) {
    jwt
  }
}

produces

{
  "errors": [
    {
      "message": "Bad Request",
      "locations": [
        {
          "line": 2,
          "column": 3
        }
      ],
      "path": [
        "login"
      ],
      "extensions": {
        "code": "INTERNAL_SERVER_ERROR",
        "exception": {
          "code": 400,
          "data": {
            "statusCode": 400,
            "error": "Bad Request",
            "message": [
              {
                "messages": [
                  {
                    "id": "Auth.form.error.invalid",
                    "message": "Identifier or password invalid."
                  }
                ]
              }
            ],
            "data": [
              {
                "messages": [
                  {
                    "id": "Auth.form.error.invalid",
                    "message": "Identifier or password invalid."
                  }
                ]
              }
            ]
          },
          "stacktrace": [
            "Error: Bad Request",
            "    at checkBadRequest (/srv/app/node_modules/strapi-plugin-users-permissions/config/schema.graphql.js:11:23)",
            "    at resolver (/srv/app/node_modules/strapi-plugin-users-permissions/config/schema.graphql.js:215:11)"
          ]
        }
      }
    }
  ],
  "data": null
}

DMehaffy · October 29, 2020, 7:34pm

Can you confirm that the user account you are using in the mutation is not one for the Admin panel but is a user from the users-permissions plugin? (They are handled differently by different packages and thus Admin panel users cannot sign in via GraphQL or the normal REST route)

tforster · October 29, 2020, 9:50pm

Thanks, @DMehaffy,

Ok, so I was using a user configured in /admin/settings/users as that made sense as a place to create an identity that can access the API.

I created a new user in admin/plugins/content-manager/collectionType/plugins::users-permissions.user and was able to obtain a JWT which I could then use in the auth headers to query the API. I had to create a custom role, which makes sense, but there’s no indication of that in https://strapi.io/documentation/v3.x/plugins/graphql.html#configurations. Perhaps a link could be placed at the top of the page that suggest the reader look at Authenticated request - Strapi Developer Documentation?

That said, requiring a username and password in exchange for a token implements the password oAuth grant, while I was expecting a device code grant. Is device code supported? If not, how reliable is the password flow to use in a device code context? E.g. are there any hardcoded limitations on how long the JWT TTL is? It looks like the token I received has a life of ~30 days and I do not see any mention of a refresh token. How would I ensure my service will stay connected to the API?

T