NTERNAL_SERVER_ERROR Forbidden while creating a page after the login

[NeosoftDKim]

I checked this post(#5601) but I couldn't solve my problem yet.
I'm trying to create a page after login with my credentials.

I sent the request the login first like the below.

mutation {
    authentication {
        login (username:"XXXX",password:"XXXX",strategy:"local") {
            responseResult {
                succeeded,
                errorCode,
                slug,
                message
            }
        }
    }
}

It works well so and then I sent another request to create a page like the below.

mutation {
    mutationTwo:pages {
        create (content:"content1", 
        description:"des1", 
        editor: "code", 
        isPublished: true, 
        isPrivate: false, 
        locale: "en", 
        path:"/test1", 
        tags: ["tag1", "tag2"], 
        title:"test1") {
            responseResult {
                succeeded,
                errorCode,
                slug,
                message
            }
        }
    }
}

They worked well but when I checked the Created By of the page that I just created, it was admin not the credential that I logged in.
So I sent the multiple mutations in one request like the below.

mutation {
    mutationOne:authentication {
        login (username:"XXXX",password:"XXXX!",strategy:"local") {
            responseResult {
                succeeded,
                errorCode,
                slug,
                message
            }
        }
    }
    mutationTwo:pages {
        create (content:"content1", 
        description:"des1", 
        editor: "code", 
        isPublished: true, 
        isPrivate: false, 
        locale: "en", 
        path:"/test1", 
        tags: ["tag1", "tag2"], 
        title:"test1") {
            responseResult {
                succeeded,
                errorCode,
                slug,
                message
            }
        }
    }
}

But the error message is forbidden.

{
    "errors": [
        {
            "message": "Forbidden",
            "locations": [
                {
                    "line": 13,
                    "column": 9
                }
            ],
            "path": [
                "mutationTwo",
                "create"
            ],
            "extensions": {
                "code": "INTERNAL_SERVER_ERROR",
                "exception": {
                    "stacktrace": [
                        "Error: Forbidden",
                        "    at field.resolve (/wiki/server/graph/directives/auth.js:47:17)",
                        "    at field.resolve (/wiki/node_modules/apollo-server-core/dist/utils/schemaInstrumentation.js:52:26)",
                        "    at resolveFieldValueOrError (/wiki/node_modules/graphql/execution/execute.js:502:18)",
                        "    at resolveField (/wiki/node_modules/graphql/execution/execute.js:460:16)",
                        "    at executeFields (/wiki/node_modules/graphql/execution/execute.js:297:18)",
                        "    at collectAndExecuteSubfields (/wiki/node_modules/graphql/execution/execute.js:748:10)",
                        "    at completeObjectValue (/wiki/node_modules/graphql/execution/execute.js:738:10)",
                        "    at completeValue (/wiki/node_modules/graphql/execution/execute.js:626:12)",
                        "    at /wiki/node_modules/graphql/execution/execute.js:527:16",
                        "    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)"
                    ]
                }
            }
        }
    ],
    "data": {
        "mutationOne": {
            "login": {
                "responseResult": {
                    "succeeded": true,
                    "errorCode": 0,
                    "slug": "ok",
                    "message": "Login success"
                }
            }
        },
        "mutationTwo": {
            "create": null
        }
    }
}

The installation setup is the own server and docker image.

Could you give me some advice on this?

[CyGaNeo]

I'm Doyoung's colleague and working with him on the project.
The thing that bother us, is that it seems that we can create a page without logging in first ; and that whatever if the token as full rights or Administrator's group relation.

Second thing we tried is then to login first, then create a page.
We did this with both tokens (full and admin group related).
If we perform 2 separate GraphQL request (login, then create page), it seems to work.
The page is created, but the creator seems to be the first user in the Administrator group (and not the one we used to log in (Doyoung's profile)). Exactly like if didn't log first and create the page directly.

That's why we tried to push one GraphQL request containing both mutation (first mutation is the log, second is the page creation).
And in that case, we've got the 'Forbidden' error reported. And that happens whatever the token we use (full rights or Administator group related).

Both token were created this morning, so they are valid.
The error we see happens both in Postman and in GraphQL playground.
Doyoung's profil is active, and i nthe Adminsitrator group only.

[NGPixel]

You're making 2 parallel queries when they should be sequential. You need to login first, THEN make a second request with the page creation. Having both in the same request makes no sense.

Although the proper way to do it would be to use an API token (that you generate via the Admin > API Access), rather than using the authentication endpoint with a user/pass. You need to pass the token via the Authorization header, as explained in the docs.

[CyGaNeo]

Hi Nicolas,
As explained in the message, we did both techniques. If we login first and then send a second query, the page is created but the name of the creator is the name of the logged person.

Also if we don't login first, and directly create the page it does exactly the same thing.

In all cases exposed here and above an API token was created. We tested an API token with full rights and an API token with admin rights. It makes no difference, the behaviour is the same. In all cases the token was in the HTTP headers.

Let's rephrase things differently:
If I've got an API token, is login still mandatory?
When creating a page, the creator is always the user with ID 1 (or smallest ID I guess), how do I change the creator name so that it is the one of the user performing the request?

[NGPixel]

The API token is the login... So I'm not sure why you're trying to login again, which won't do anything.

API requests are always done as the root admin. This is a limitation of API at the moment. There are plans to add user override in the future.

[CyGaNeo]

We want to login for 2 reasons:

1. Most of other APIs we use require login to ensure you're really authorized to do something on the server. It is a double check in case the token was disclosed or the final software was used by someone with no (low) rights on the service.
2. So that actions performed with the API are related to the person logged. In the Page Creation for example I'd love to see Doyoung as the creator and not Administrator. Same thing if we do page modifications. With the token, at the end, actions are performed by someone. I'd like that 'someone' to be tagged in the wiki pages history.