Hello all,
I’m currently self-hosting GitLab from the omnibus package at a relative URL (warning: anchor tags don’t seem to work, scroll down to the relative URL section) of my domain (i.e. http://my.domain/gitlab). My own web application is also served from the same domain. This means that the _gitlab_session cookie is indeed present when my own web application makes requests to the GitLab API.
When I run the following inside the JS console to hit the /user endpoint of the REST API:
fetch("http://my.domain/gitlab/api/v4/user").then(x => x.json().then(user => console.log(user)));
Then I do indeed see the correct user info corresponding to the session cookie.
However, when I make the equivalent request using the GraphQL API:
let query = "query { currentUser { name } }";
let payload = JSON.stringify({query});
let headers = {"Content-Type": "application/json"};
fetch("http://my.domain/gitlab/api/graphql",
{method: "POST",
body: payload,
headers})
.then(x => x.json()
.then(user => console.log(user)))
I receive:
{ data: { currentUser: null } }
It seems that the GraphQL API is not able to pick up the session cookie. Is this intended?
If I add the Authorization: Bearer PERSONAL_TOKEN header then it works fine, but my use case requires that I avoid personal access tokens. Can session cookies be used to authenticate with GraphQL?