Allow login mutation to be public when the endpoint is fully restricted

If you’ve configured your WPGraphQL settings to “Limit the execution of GraphQL operations to authenticated requests”, this will block all root operations unless the user making the request is already authenticated.

If you’re using a GraphQL mutation to authenticate, such as the one provided by WPGraphQL JWT Authentication, you might want to allow the login mutation to still be executable by public users, even if the rest of the API is restricted.

This snippet allows you to “allow” the login mutation when all other root operations are restricted.

  function( $allowed ) {
	$allowed[] = 'login';
	return $allowed;
}, 10, 1 );

Published by Jason Bahl

Jason is a Principal Software Engineer at WP Engine based in Denver, CO where he maintains WPGraphQL. When he's not writing code or evangelizing about GraphQL to the world, he enjoys escaping from escape rooms, playing soccer, board games and Fortnite.