Skip to content

WebAccount#

The WebAccount is a central user account with which users can register and log in to a website. It is used for identification, authorization and personalization within a site.

The basis for the WebAccount functionality is the WebAccount Bundle. This bundle provides a GraphQL API for user authentication and thus enables flexible integration into front-end applications.

Authentication#

Authentication takes place via user name and password. See also: Webaccount authentication.

mutation {
  webAccountAuthenticationWithPassword(
    username: "peterpan"
    password: "tinkerbell"
    setJwtCookie: true
  ) {
    status
    user {
      id
      username
      firstName
      lastName
      email
      roles
    }
  }
}

The setJwtCookie option can be used to specify whether a JWT cookie should be set that is used for authentication in the application. If this option is set to true, a cookie with the name WEB_ACCOUNT_TOKEN is set, which contains the JWT token. This token can then be used in subsequent requests to identify and authenticate the user.

Authentication successful#

If authentication is successful, the WEB_ACCOUNT_TOKEN cookie is set and the response contains the status SUCCESS and the user data:

set-cookie WEB_ACCOUNT_TOKEN=eyJ0eXA...; expires=Fri, 29 Aug 2025 09:08:58 GMT; Max-Age=2592000; path=/; secure; httponly; samesite=strict

{
  "data": {
    "webAccountAuthenticationWithPassword": {
      "status": "SUCCESS",
      "user": {
        "id": "100010100000002469",
        "username": "peterpan",
        "firstName": "Peter",
        "lastName": "Pan",
        "email": "pan@neverland.com",
        "roles": [
          "IES_ID_100010100000001012",
          "IES_USRP_EDITORIAL",
          "IES_ID_100010100000001028",
          "USRP_INTERNETWEBSITE_PROTECTED"
        ]
      }
    }
  }
}

Authentication failed#

{
  "data": {
    "webAccountAuthenticationWithPassword": {
      "status": "FAILURE"
  }
}

To log out a user and unset the JWT cookie, you can use the following mutation:

mutation webAccountUnsetJwtCookie {
  webAccountUnsetJwtCookie
}

This mutation removes the WEBACCOUNT_TOKEN cookie from the user's browser by sending the Set-Cookie header with an expired date, effectively logging the user out of the application.

set-cookie WEB_ACCOUNT_TOKEN=deleted; expires=Tue, 30 Jul 2024 09:15:25 GMT; Max-Age=0; path=/; secure; httponly; samesite=strict

The JSON response is:

{
  "data": {
    "webAccountUnsetJwtCookie": true
  }
}