i've been working all day on the problem described here: https://community.canvaslms.com/t5/Canvas-Developers-Group/Missing-verifier-on-attachment-url-Submissions-graphQL-query/m-p/461456 unfortunately, i'm not a ruby developer, so it's slow going reading the code, but it seems like doing a graphql query with a token is different from using a web login. it all seems to boil down to the in_app? function in application_controller.rb . anyone know how to make that function go true when using a graphql query with a token?
thanx
ben
@ben_reed
Not all functionality through the REST API is supplied through GraphQL. This is one of those things. If you use the REST API, you will get an UUID for an attachment, which is the verifier code. Canvas is pushing GraphQL and says it's the future of API and people should start using it, but the support isn't there yet. The GraphQL stuff says that if you find something that isn't supported to let them know.
The in-app is part of the request forgery prevention process. Best I could find, it looks for an existing session. I will say, though, that I copied the entire request as a fetch command, then switched to a browser that wasn't logged in and executed it. It threw all kinds of CORS errors.
I then did a copy as cURL (bash) and went to a bash shell and executed it and it worked and included the verifier. I removed the cookie header and I got that I was unauthorized. If I remove the x-csrf-token header, then it is an unprocessable entity. I got it to work with these headers: x-csrf-token, cookie, content-type, accept
I then played around with the cookie to see what parts of it were absolutely necessary. It turned out that only two parts were: canvas_session and _csrf_token
Your question is how to get those without actually logging into Canvas. My answer is that it's a lot easier to use the REST API for this one since what you want isn't supported through GraphQL. Then ask Instructure to add support for the uuid on attachments to graphql.
If I absolutely had to have those headers, I could perform a headless login using puppeteer or selenium.
I'm building a tool for my institution that imports grades from another LTI tool into Canvas so instructors can automate late assignment policies not otherwise supported by Canvas. I'm trying to use the LTIv1.3 ID which is readily available on the LTI-side as a link to the student record on Canvas, but I can't find the ID…
How can one track Canvas Media use without having the reports available from Canvas Studio? Checking API endpoints and the Data 2 schema, there do not seem to be dedicated Canvas Media endpoints. Am I missing some? A method I've considered is using the body field of the wiki_pages table, as this contains the html code of…
Hello, I'm trying to utilize an API call to pull completed certificates and was hoping to download and store the certs as a backup. I can successfully run the API call but it will not allow me to view the certificate unless I access the URL while signed into an account where it's "my" cert. Is there a permissions setting…
UI for weekly progression idea that rest in the Schedule tab of the **K-12 UI** of Canvas it's incomplete and I really would not take it and push it into instance but I am going to post it here because in the past people like @James && @robotcars || @Steve_25 have had terrific input in the past... maybe w/their eyes and…
I have a new React + Flask webapp. It has its own login for users to start using the app. I have added this as an external tool in Canvas. What I want initially is to see of canvas users can start using the webapp without having to login if they click on the external tool link in a canvas course. I have 2 methods…
