I need to understanding if this is a bug or expected behaviour I’m using Postman for my testings.
To get customer data first need to generate token:
mutation generateCustomerToken($email: String!, $password: String!) {
generateCustomerToken(email: $email, password: $password) {
token
}
}
To request basic customer information I use the following post:
{
customer {
id
firstname
lastname
suffix
email
}
}
It also state that you need to pass the token in the header but I when I request customer information I’m not even passing in the header as Authorization Bearer token and the data is returned anyway. When I check cookies I can see Set-Cookie: PHPSESSID=xxxxxxxxx.... as well as Set-Cookie: private_content_version=xxxxxx. Now when I delete Set-Cookie: PHPSESSID=xxxxxxxxx.... then when I try to call request customer information it returns "message": "The current customer isn't authorized.", which I would expect if the Bearer token was not passed in the header but it appear that is using some sort or cookie session to store this token when is first generated, subsequently requesting for customer information is being requested without the Bearer token in the header, I’m not sure this is normal in graphql requests, does anyone have any idea?
Thanks