►
Description
Today on the stream we took a look at how Insomnia's GraphQL implementation handles GraphQL endpoints that are protected by Authentication, such as OAuth2 but also including Basic Authentication (and any others). We got deep into the inner-workings of Insomnia's request sending architecture.
A weekly stream focused on Insomnia's open source community.
Join us on the #stream channel over on the Insomnia community slack: https://chat.insomnia.rest
A
B
Welcome
to
the
insomnia
stream,
I'm
dimitri
and
jack.
That's
me,
and
we
have
someone
else
here,
hello.
A
B
A
B
Wow
glad
to
have
you:
are
you
an
insomnia
user.
A
Yeah,
of
course
I
am,
I
have
been
using
it
from
the
beginning
and
I
well.
I
was
a
postman
user,
but
I
haven't
used
postman
for
more
than
one
or
two
months
because
yeah
I
don't
know
why.
Then
I
saw
insomnia
and
yeah
four
years
from
the
beginning
itself.
I
have
been,
I
think,
when
insomnia
wasn't
beat
at
that
time
itself.
I
was
using
it
cool
yeah.
B
Great,
what
what
do
you
work
on?
What
is
your,
what
is
your
day-to-day
like.
A
Well,
primarily,
node
yeah
and,
to
be
frank,
there's
a
service,
microservice
framework
called
motor
clutches.
I
primarily
use
it
cool
yeah,
yeah.
B
Do
you
have
any
things
in
mind
about
insomnia
you're
just
here
to
hang
out,
I'm
just
here
to
hang
out
awesome,
okay,
cool
well
I'll,
introduce
what
the
stream
is
for
anyone
listening.
Otherwise
this
is
a
weekly
stream
that
we
do.
It's
focused
on
the
community,
it's
very
chill
and
low-key.
So
I
love
having
it's
nice
to
have
people
here,
just
hanging
out
what
we
do
here.
Let
me
see
if
I
can
share
my
screen.
B
This
is
that
gonna
work
perfect.
What
we
do
is
we
look
through
github
and
we
find
issues
that
we
had
tagged
with
this.
This
insomnia
stream
logo
label
and
this
label
is
just
some
if
we
see
something
throughout
the
week
or
at
any
time
that
or
if
anyone
else
in
the
world
sees
something
we're,
not
the
only
ones
who
can
put
that
label
right.
B
B
Okay,
stalin.
Do
you
or
jack?
Do
you
guys
see
anything
here
that
is
of
particular
interest?
I
think
I
think
I've
seen.
I
think
I
have
not
seen
this
one.
B
B
B
Let's
go
down
the
rabbit
hole
here:
oauth,
2,
missing,
identity,
token,
okay,
so
we
have
this
functionality
2019.
This
is
quite
a
while
ago.
So
this
okay,
so
they're
saying
this
pr
allowed
using
for
identity
tokens
in
auth
rather
than
auth
token.
When
using
this
feature,
the
graphql
schema
could
not
be
fetched
due
to
the
throw
new
error.
No
auth,
two
identity
tokens
found
for
request.
This
commit
moves
the
normalization
of
the
id
further
up
the
chain,
so
it
can
be
used
where
this
error
would
be
otherwise
thrown
closes
three
zero
one
three.
B
So
let's
look
at
three
zero
one:
three
graphql
schema
documentation
doesn't
load
if
oauth
2
access,
token
tag
is
used,
schema
documentation
doesn't
load.
Okay,
if
oauth
2
access
token
tag
is
used
if
a
graphql
request
is
configured
to
use,
oauth2
authentication
via
an
author
token
tag.
So
that's
the
thing
we're
talking
about.
B
B
So
I
I
can
describe
what
this
is.
Let's,
let's
pull
up,
I
don't
think
I
have
insomnia
installed
right
now,
because
what
I
do
is
show
you
guys.
I
I
make
excessive
use
of
these
like
insomnia,
app
image
things,
but
I
never.
I
can
like
use
any
version
at
any
time.
It's
kind
of
fun.
B
Let's
see
what
let
me
make
sure
I
don't
have
a
bunch
of
nonsense
in
my
it's
opening
in
another
window
here
for
a
second,
I
don't
have
a
well
kind
of
nonsense.
Have
you
guys
seen
this
paper
before
chicken?
B
It's
pretty,
it's
pretty
good,
pretty
good
work
of
art.
Actually,
if
you
want
to
learn
about
chickens,
it's
got
all
the
information.
So,
let's,
let's
clear
all
this
stuff
out-
and
I
want
to
show
you
guys
what
a
graphql
schema
documentation
looks
like
so
we'll
do
rick
and
mortyapi.com
graphql.
B
Okay,
that's
fine!
Nobody
returned
for
response,
but
we
can
click,
show
documentation
and
we're
gonna
see
here
a
bunch
of
other
pieces
of
documentation
and
things
that
that
are
here
right.
So
it
doesn't
matter
okay.
So,
let's,
let's
go
back!
So
that's
what
that's
what
they
mean
when
they,
I
think
when
they
say,
schema
documentation
so
they're
saying
when
they
have
auth
stuff
going
on
so
we're
going
to
do
oauth
2,
I
think
yeah,
oauth,
2.,
okay!
So,
let's
token
yeah
token
url,
okay,.
B
An
error
message
occurs
fail
to
fetch.
It
appears
this
caused
by
specifically
by
the
tag
that
is,
that
is
set
on
the
request
header.
If
I
manually
paste
the
token
value
in
the
authorization
header,
then
the
schema
documentation
will
start
to
load
successfully
tag
that
is
set
on
the
request.
Header
jack.
Do
you
know
what
they
mean
by
tag.
C
Yeah,
remember
that
remember
that
stuff
we
were
looking
at
in
a
stream
about
a
month
ago
relating
to
transforming
different
things
into
the
authorization
key.
C
I'm
pretty
sure
it's
closely
related
to
that.
You
remember
it
was
like
trying
not
to
override
it
if
it
if
it
existed,
but
if
it
didn't
exist
then
it
would
generate
it
from
one
of
the
different
authentication
methods.
B
B
I
believe
you
I
don't
know
why
I'm
trying
to
open
vs
code
and
it's
not
opening
cbs
code,
all
right
a
third
time.
Do
it
from
here
code
dot
nope.
I
can't
open
vs
code
at
all.
Why
not?
B
How
do
I
called
like
it's
called
like
system?
Monitor?
Sorry
guys,
let
me,
let's
see
if
I
can
like
vs
code,
anyone
cvs
code
here.
B
Okay,
apparently
my
computer
doesn't
work
today.
Well,
that'll
be
fun.
Let's
see
what
we
can
find
if
I
manually
paste
the
token
value
into
the
authors.
Okay,
so
what
they're
saying
is
the
tag
that
is
set
on
the
request
header.
B
If
I
manually
paste
the
token
value
into
the
authorization
header,
then
the
schema
documentation
will
start
to
load.
Okay,
so
they're
saying
if,
if
I
skip
all
of
this
oauth
2
stuff,
do
no
authentication
and
come
over
here
and
make
an
authorization,
header
and
paste
it
in
here,
then
this
stuff
will
start
to
work
at
your
interpretation
of
what
they're
saying.
C
Exactly
exactly
yeah,
that's
what
many
of
the
authorization
methods
do
like
inside
them
right,
you
fill
out
the
form
and
then
they
generate
for
you
a
a
bearer
token
or
a
some
other
variation
of
the
authorization
key.
B
That's
an
interesting
point
so
is
what's
happening
here
is
that
the
graphql
endpoint
is
protected
by
oauth,
and
that
includes
the
introspection
stuff
where
we
get
this
background,
but
our
documentation
doesn't
have
any
knowledge
of
oauth
or
anything
else.
So,
okay,
creating
so
let's
see
these
steps,
there's
they
don't
have
like
a
docker.
C
B
B
B
B
Ooh
that
would
be
cool.
Does
the
end-to-end
stuff
have
okay,
we're
going
to
look
into
that,
create
a
graphql
request
again
against
an
oauth
2
protected
graphql
api?
Okay,
that's
that's
going
to
like
be
the
hard
part,
so
configure
the
auth
to
authentication
for
the
request
make
sure
that
a
token
has
been
successfully
loaded,
so
they're
saying
come
over
here
and
do
this
stuff
and
make
sure
that
down
here
when
you
click
fetch
token,
it
shows
you
a
thing.
That's
real
great
set
the
authorization
header
of
the
request
to
use
request
to
access
token.
B
That's
what
we're
just
doing
make
the
graphql
request
and
confirm
it.
Works
correctly,
go
back
to
the
graphql
body
tab
and
do
schema.
Refresh
schema
schema
refresh
schema
where,
if
the
error
appears
at
the
bottom
of
the
tab,
no
auth
yeah,
so
we
got
the
error.
Actually
is
that
the
exact
one
they
have.
C
B
B
I'm
curious
fail.
This
fetch
schema,
but
if
I
click
this
view
introspection
timeline,
I
didn't
even
know
that
was
a
thing.
So
let's
go
to
the
headers
tab
and
remove
the
token
tab
paste
in
the
access
token
manually
go
back
and
refresh
the
schema
documentation
again.
This
time
the
schema
will
load
correctly.
B
C
I
think
oauth2
tokens
are
added
a
particular
point
in
the
request,
lifecycle
and
the
graphical
documentation
is
ignorant
of
that.
It
assumes
it
assumes
that
someone's
not
using
oauth
2,
and
it
has
no
awareness
about
oauth
2..
C
How
are
all
two
tokens
are
translated
into
authorization
keys
is
it's
by
making
another
request
and
that's
like
hand
crafted
so
it's
it
exists
outside
of
normal
request
handling.
So
it
explains
why
you
would
get
inconsistent
behavior.
C
C
They
hit
different
code
packs,
so
one
of
those
copas
doesn't
know
about
the
keys.
The
other
one
generated
well
sort
off,
certainly
in
the
case
of
graphql,
schema
the
way
it's
implemented.
It
doesn't
know
about
those
two
things:
it's
just
trying
to
perform
a
basic
fetch
against
the
introspection.
Query.
B
Uh-Huh,
so
sorry,
I'm
like
desperately
trying
to
get
get
my
vs
code
to
work
processes.
Maybe
if
I
do
that
code
and
process
and.
B
B
B
Okay,
so
the
first
question
I
want
to
have
is
what's
going
on
like
how
come
clicking
this
bug
does
nothing.
That
would
be
something
I
would
expect
to
function
and
it
doesn't
function
and
that's
going
to
be
pretty
critical
for
us
to
debug
this
anyway.
So,
like
the
bug,
the
bug
is
not
working
in
general,
I
was
wrong.
B
It
seems,
like
I
thought
this
stuff
to
add,
add
documentation
for
union
types
like
this,
this
stuff
for
the
document,
the
graphql
documentation
overlay
thing
has
been
here
longer
than
I
thought
I
thought
I
don't
know
when
I
thought
that
was
added,
but
I
thought
it
was
added
pretty
recently,
but
it
wasn't
apparently
because
here's
a
really
old,
screenshot
and
yep
it's
there.
B
C
C
About
react
native
in
the
early
days
and
typescript,
they
did
a
lot
of
their
lead
devil
into
working
work
on
typescript.
B
Interesting
so
yeah
I
mean,
I
think,
that's
the
I
think
that's
the
direction
we
should
take.
It.
B
C
He
he
also
just
called
out
a
second
ago
that
this
is
probably
related
to
the
issue
we
had
with
hawke
last
week.
C
Any
other
authentication
kind
of
transforms
that
should
be
happening,
don't
happen
for
graphql
schema.
B
Okay-
let's,
let's
grab
that,
so
he
was
saying
three,
two,
two
zero
and
three
three
four
six,
four
thanks
philippe
on
the
chat
it
could
be,
he
said,
could
be
worth
checking
out.
Yep,
let's
take
a
look,
so
bearer
variables
are
not
recognized
during
schema,
fetch.
B
B
B
B
B
I've
used
it
a
couple
times,
but
only
as
like
a
part
of
something
you
know
it's
never
like
I've,
never
like
made
a
graphql
server
and
I've
never
had
a
use.
I
think
I
just
do
simpler
things
than
what
I
don't
have
like.
55
servers
that
I
need
to
like
cobble
together
to
get
a
certain
thing
I
just
have
one.
Usually
it
doesn't
provide
me
a
lot
of
value
personally.
B
B
All
right:
well,
you
can
dip
in
and
dip
out
right
on.
You
know
that
stalin
so
like
what
is
what
is
the
makeup
of
your
team
in
terms
of
insomnia
users?
Do
people
do
other
people,
you
work
with
use,
insomnia.
A
A
It's
I
think
it's
free
for
personal
use,
anyway,
company
we
do
use
swagger,
usually
usually
so
that
handles
most
of
the
things.
B
I
was
gonna,
say
jack.
If
you
go
to
the
settings
thing
and
you
click
video,
can
you
make
sure
that
it
says
video
resolution
1080p?
Because
I
think
it's
it
flipped
you
into
480,
because
it's
hard
to
read
the
text
yeah
it
does
that
by
default.
Sometimes-
and
if
that
is
the
case,
I
think
you
just
have
to
refresh
the
page
and
it
should
be.
C
B
B
I
think
it's
better
yeah,
it's
better
anyway.
Sorry,
stalin,
so
I
was
I
was
gonna.
Ask
like.
I
don't
know
how
postman's
pricing
works.
I
have
no
idea,
I
don't
know
if
you
have
to
pay
for
those
sharing
stuff,
but
yeah
that's
cool.
I
mean
spread
the
word.
It's
always
good.
I
like
postman,
you
know
I
like
we,
I
don't
think
there's
any
kind
of
like
ill
will
towards
any
of
the
other
people
in
the
space.
It's
a
small
enough
space.
B
We
can
all
be
friends,
we're
just
trying
to
make
great
products.
I
don't
think
that
has
to
be
something
we
fight
about.
So
it's
cool.
B
A
That's
what
I
loved
about
insomnia,
so
it's
just
simple
and
things
are
where
there
it
has
to
be
so
it
feels
like
postman
is
too
much
complicated
and
too
much
memory
intensive
compared
to
insomnia.
I
think,
even
though
it's
using
electron
and
sometimes
it's
a
bit
small,
I
mean
it
takes
few
time
to
load,
but
I
think
it's
cleaner.
B
Yeah
cool
all
right:
well,
here
we
go.
Oh
man,
I
can't
even
open.
B
I
don't
know.
How
am
I
supposed
to
get
any
work
done
today
if
I
can't
open
vs
code
but
anywho?
So
where
is
the
place
where
the
the
bug
icon
is
supposed
to
pull
up
a
timeline?
Do
you
know
what
I
mean.
C
I
don't
think
we
have
to
the
oauth2
thing
is,
I
think,
more
complicated?
We
can
try
to
see
if
we
can
get
it
to
work
with
hawke
and
the
way
that
we
can
do
it
is
to
assert
whether
or
not
the
header
was
added,
because
when
we
add
a
header
here
for
authorization,
it
will
prioritize
that
one.
But
this
one
is
also
supposed
to
generate
one,
and
I
think
also
actually
basic
is
easier.
Let's
do
this.
C
B
B
A
A
B
Okay
file,
watcher
okay,
I'm
gonna
have
a
have
a
date
with
david
one
of
the
members
on
the
team
here
to
help
me
get
this.
So
I
I'm
on
linux
and
too
many
open
files
to
even
open
vs
code.
B
Know
it's
it's
not
it's
not
just
a
you
limit
thing.
It's
you
limit
open
files
is
set
yeah,
but
if
I
set
to
n
what
is
it
like?
B
B
Nope
still
nothing,
I
can
do
that
yeah,
it's
it's
there's
like
four
other
cis
ctl
things
you
have
to
do
and.
A
B
Okay,
sorry,
sorry,
that's
happening,
it's
been
happening,
but
it's
never
prevented
me
from
opening
vs
code.
I
usually
just
have
to
close
a
couple
things
but
anyway,
so
this
is
the.
This
is
the
pr
that's
cool
that
we
can
like
switch
between
like
our
things
here.
So
this
is
the
pr
normalize
request
id.
B
B
I
make
a
request
that
starts
with
that,
that
that
has
that
has
this
going
on
it
will
make
a
different
it'll
hit
a
different
code
path.
B
C
I
think
I
know
what
you
mean,
there's
like.
B
B
B
So
we
create
a
graphql
request.
It
creates
a
challenge
yeah,
so
we
would
be
looking
around
here
for
some
like
dot
graphql
thing,
but
I
don't
have
a
way
to
search
the
code
base,
but
we
can
do
maybe
we
can
switch
to
jack
in
a
second,
but
I
think
that's
probably
what
it
is.
Is
it's
pointing?
B
B
So
let's
look
at
issue.
835.
B
B
okay,
so
this
has
been
a
bug
for
a
while,
but
yeah
that
seems
like
it's.
Where
were
we
here?
B
B
Yeah,
like
always,
we
want
to
get
the
original
request.
So
if
we
were
handed
a
request
that
has
the
graphql
thing
appended
at
the
end,
then
we
want
to
get
the
the
parent.
I
don't
know
why
we
wouldn't
just
get
the
parent
id
so
like.
Why
there's?
No,
I
guess
a
request
can't
have
another
request
as
a
parent
and
maybe
that's
why
this
child-
it's
not
actually
a
child,
then
if
it
doesn't
have
a
parent
id.
That
is
a
request.
Otherwise
we
could
just
use
the
parent
id.
B
Otherwise
this
code
would
say:
if
it's,
if
it
matches
this
criteria,
then
do
request.
I
request
dot
parent
id,
not
request
id.
You
see
what
I'm
saying
so
like
this
could
be
a
rendered
request.
See
I
don't
know
what
that
is.
But
can
you
pull
this?
Well,
let's
try
to
see
so
like
the
okay,
let
me
so.
I'm
gonna
switch
back
to
you
jack,
so
you're
up.
C
B
C
C
C
So
we're
taking
the
raw
request,
which
I
would
imagine
in
this
case
it's
written
more
api
dot
com,
slash
graphql,
the
this
is
the
request,
that's
going
to
get
sent
and
then
we're
copying
it
updating
its
id
to
have
a
dark
graphql
on
the
end,
altering
the
timeline
data
size
for
some
reason,
setting
a
parent
id
to
the
raw
request
setting
it
to
private.
I
didn't
know
that
was
a
thing,
but
apparently
it
is.
C
The
body
is
new
body,
raw,
pretty
cool
name
right,
so
one
something
we
can
try
to
do
to
unpick
this
would
be,
rather
than
to
like
create
a
hack
for
this
quirky
implementation.
We
could
just
have
it
like
find
the
parent
id.
Oh,
it
does.
B
B
The
real
question
is:
what
is
calling?
What
is
it,
what
is
it
get
get
by
parent
id?
So
what
calls
is
what
calls
get
by
parent
id.
C
B
C
You
might
benefit
from
deleting
if
you've
been
working
on
some
projects
recently,
if
you
delete
the
no
modules
folder
in
this
project,
you
you
play
some
of
those
handlers.
Maybe
I
might
be,
I
might
be
talking.
B
B
Okay,
so
go
to
get
toke,
get
dash
token
dot
ts.
I
I
can
just
show
my
screen.
Actually
it's
working
go
ahead
so
like
okay,
so
get
token
dash
ts.
So
here
what's
happening
is
it
is
being
passed,
it
says,
get
by
parent
id
and
it's
passing
in
the
request
id,
but
the
request
id
is
not
what
we
actually
want.
B
B
B
Wow
we're
getting
some
one.
Second,
we
got
some
abusive,
chats,
okay,
they're
gone
now
so
get
access
token.
Okay.
So
all
of
these
get
access
token
things
are
passing
the
wrong
stuff.
B
Man
look
how
look,
how
eerily
simp
copy
pasta
all
these
code
paths.
Are
you
see
what
I
mean
like?
Let's
go
a
step
up
above
these
so
like
what
calls
what's
calling
this.
B
B
What
is
use
active
request,
use
active
request,
would
work,
but
does
this
flow
this
okay?
So
I
think
I
see
what
the
problem
is.
This
flow
occurs
whether
or
not
you
are
a
okay.
I
see
what's
happening.
This
flow
occurs
whether
or
not
you're
in
you're
in
graphql
mode,
which
means
that,
although
this
will
now
work
for
graphql,
it
will
then
fail
for
regu
regular
requests,
because
the
parent
id
of
a
regular
request
is
a
workspace.
C
B
This
this
this
will
we
just
I
mean
I'm
saying
we
introduced
a
bug.
You
know
like
just
now
where,
where
was
I
get
token,
what
we
could
check
yeah
so
james
said
we
could
check.
If
it's
a
graphql
request,
we
we
could
check
if
it's
a
graphql
request.
Yeah
I
mean.
B
Is
that
better,
though,
here
so
what
we
could
do
in
set
instead
so
dot
graph?
What
was
it
plus.
C
B
Could
do
this,
we
could
say
like
we
could
do
this.
C
B
B
C
Convinced
that
this
is
a
I'm,
not
convinced
that
this
needs
to
use
our
request
stack
fetching,
the
the
thing
all
it
needs
to
know
is
the
url
to
get
it
from
and
the
key
the
token
the
eventual
token
it
doesn't
need
to
use
the
entire
pipeline.
It
shouldn't
need
to
create
an
nadb
state
object
for
this
right.
There's
no
need
to
store
this
in
the
database.
Why?
Why
do
we
store?
This
is
purely
an
introspection.
Query
request.
We
don't
care
about
the
timeline
for
it.
We
shouldn't
care
about
the
time.
C
B
B
B
I
doubt
I'm
gonna
be
able
to
start
here.
Let's
try.
C
Shoot
we
could
have,
we
can
go
and
get
the
the
code
anytime.
We
like
with
the
get
access.
Token
thing:
you
can
call
it
from
anywhere.
I
mean
it's
messy,
but
it
it
gets
you
the
token
it
needs
the
request
id.
We
have
the
request
id.
C
When
we
make
an
introspection
request,
we
don't
need
to
call
network.send,
we
could
call
axios
request
or
fetch
or
any
other
node.js
library.
We
just
need
the
access
token
to
make
the
request
so,
provided
we
call
those
things
in
line
rather,
what's
I
think
what's
going
wrong
now?
Is
we're
calling
network.send
and
we're
working
around
hacks
to
make
that
black
box
operate
with
a
bunch
of
crazy
recursive
codepath
stuff?
That
doesn't
make
sense
it's
hard
to
reason
about,
so
I
think
it
makes
sense
to
make
the
introspection
just
a
axios
request.
B
B
Here
response:
debug
modal:
is
there
a
thing
to
show
show
body
we
want
to
do
show
body.
B
B
Okay,
I
don't
know,
but
that's
a
little,
that's
a
little
curious
that
it
doesn't.
It
doesn't
show
up.
I
mean
we
don't
have
an
example
one
way
or
the
other
we're
not
going
to
be
able
to
test
this,
because
we
don't
have
an
example
of
an
oauth
2.
C
C
Yeah,
whatever
we
do,
there's
a
code
path
for
like
authentication,
headers,
get
authentication,
headers
or
something
that
goes
through
all
of
them
and
tries
to
you
know,
translate
them
into
the
authorization
token.
We
we
just
need
to
call
that
before
we
send
the
the
actual,
whatever
request
make
sure
we
get
that
thing.
B
But
then,
if
we
do
it
with
axios,
I
don't
I'm
very
weary
of
that
because
like
if
we
have
like
anything
that
like,
if
somebody
has
a
proxy
enabled
is
that
is
that
gonna
work.
C
It
does
yeah,
we
use
it
for
get
git.
Sync,
it's
hooked
up
to
validate
search.
It's
hooked
up
to
all
our
settings.
C
The
only
thing
we
don't
use
it
for
right
now
is
team
sync,
but
we
use
it
for
all
of
our
other,
like
remote,
fetching
outside
of
the
main
code
paths,
the
like
happy
path
of
debugging
people's
endpoints,
so
I
think
it
makes
sense
because
it
fits
the
it
fits
the
like
request,
architecture
we
have
in
the
rest
of
the
app.
C
It
doesn't
really
make
a
huge
difference
if
we
use
fetch
or
we
use
axios
request,
they
kind
of
behave
the
same
except
one
of
them
is
configurable
axios
request.
We
can
configure
ssl
certs
on
and
off
which
we
probably
don't
want.
In
this
case,
I'm
not
sure.
Maybe
we
do
like
some
people
want
to
be
able
to
use
locally
signed
ssl
for
their
git
server
right.
So
we
support
that
now.
Maybe
they
want
locally
signed
search
for
that
graphql
server
too.
So
maybe
we
should
support
that,
so
it
does
make
sense.
C
In
that
case,
the
the
best
argument,
I
think
for
it,
is
that
we,
it
doesn't
serve
us
preserving
data
about
the
introspection
query.
It
does
no
benefit
to
our
user,
we
don't
surface
it
in
any
way.
We
don't
operate
on
it,
we
don't
transform
it
all.
A
C
B
C
C
Oauth2
is
like
two-phase,
you
get
your
key,
and
then
you
make
your
request
with
your
key.
That's
exactly
how
they
work
too
right.
C
It
should
go
in
line
on
the
timeline
where
you
make
your
request.
If
we're.
C
B
Me
know
it's
like,
so
it's
like
one,
so
it's
like
first
request
timeline.
The
timeline
includes
it.
It
includes
the
oauth,
then
it
recruits
requests.
B
Right,
whereas
with
this
ux,
when
it's
not
working
right
now,
because
I
don't-
I
don't,
have
it
set
up
against
anything,
I
could
do
that.
I
suppose
yeah
like.
Let
me
let
me
see
if
we
can.
Let
me
see
how
far
we
get
with
this.
So,
let's
look:
how
do
I
do
it
because
we're
gonna
run
out
of
time
anyway?
We
might
as
well
do
something
educational
for
me
or
everyone.
B
How
do
I
do
the
oauth
stuff?
I
just
do
server.
C
Npm
runs
serve
inside
this
folder
or
add
dash
dash
prefix.
Okay,
actually,
that's
better!
If
you
do
the
prefix
yeah
yeah
mpm,.
B
Yeah
insomnia
smoke
test
and
then
we
do
serve.
C
Yeah,
oh
no!
No
just
oh,
I
didn't
mean
to
type
vr
they're,
just.
B
Good
and
then
here
we
have
oh
auth,
just
copy
paste
that
create
from
clipboard
oauth
testing,
client
creds.
Yes,
it's
beautiful.
B
So
the
point
is:
is
that
here
in
this
timeline,
we
see
the
actual
request
that
I
made
right.
But
here
we
see
the
handshake
request.
But
if
I
send
this
again,
I
can
still
see
the
handshake
request,
but
in
what
you're
suggesting
it
would
not
be
here,
the
second
time,
because
it
in
fact
did
not
send
it
a
second
time.
B
C
I
I
hear
you:
there
are
ux
advantages
to
the
way
it's
presented
today,
but
architecturally
speaking,
this
is
like
a
nightmare
to
work
with,
because
it
doesn't
follow
a
simple
state
transition
it.
It
doesn't
do
one
thing
then
another
than
another:
it
parallelizes
something
it
doesn't
have
to
be
paralyzed.
So
when
I
was
looking
at
when
I
was
looking
at
finding
ways
to
decouple
these
flows
from
the
app
to
main
logic,
this
was
an
exceptional
pain
point
because
it
because
of
how
this
like
recursive
recursion
works.
C
B
B
B
B
C
It
creates
like
second
order
problems,
because
we
because
we're
creating
a
second
timeline,
then
we
all
of
the
like
plug-ins
and
meta
requests
now
have
to
be
applied
to
both
and
reasoning
about
which
ones
should
be.
Where
becomes
like
more
complicated
than
it
need
be.
B
Sorry
one
second
there's
a
wow.
We
are
getting
like
a
lot
of
spam
on
re
on
youtube
and
stuff.
B
Okay,
cool
yeah,
so
yeah,
ultimately,
like
I
hear
what
you're
saying,
maybe
we
can
find
a
way
to
make
it
feel
but
like
it
is
a
bit
arbitrary
that
it's
here
just
a
bit,
though,
because
it's
showing
like
this
is
like,
I
think
the
dotted
line
here
is
trying
to
show
you
like.
This
is
cast
cached
information.
You
can
click
refresh
to
like.
B
What's
the
word
invalidate
the
cache
but
ultimately,
like
you
know,
there's
no
real
good
way
to
know
which
otherwise,
which
so
like
okay.
Actually
I
just
I
just
showed
a
problem.
So
here's
a
problem
ready,
here's
a
request,
here's
a
response
timeline
that
does
not
match
the
request,
because
since
then
I
clicked
response
refresh
token.
B
That's
good,
actually,
I'm
that
was
like
an
accident
that
I
was
doing
that,
but
it
is.
It
is
kind
of
your
point
that,
like
you
want
to
see
with
this
timeline,
you
want
to
see
the
response
like
we
need
to
put
like
literally,
we
could
put
all
of
this
stuff
over
here.
C
If
it
happened
here
and
if
it
didn't
happen
or
it
or
it
went
and
fetched
something
from
state,
then
it
could
explicitly
say
that
it
did
that
here
in
the
timeline
that
we
have
complete
control
over
this.
B
That's
cool
all
right.
Well,
I
mean
that's
good,
that's
really
good
feedback.
Then
we
didn't
really
solve
anything
today,
but
well.
C
No,
I
think
we
got
to
the
bottom
of
how
better
to
address
the
graphql
parent,
we're
still
probably
going
to
need
to
figure
out
the
right
way
to
check
that
it's
a
graphql
request,
but
it,
but
it
also
stands
at
a
deeper
issue
which
is
we're
creating
private
entities,
because
our
request
stack
needs
them.
But
why
do
we
need
our
request
act?
C
Your
response
timeline
examples
will
be
identical
between
the
one
that
you
make
the
request
to
and
the
one
you're
into
respect
that
because
they
are
going
through
the
same
gateway
at
the
same
end.
Point
right
at
the
same
path,
so
they'd
be
identical,
so
problems
with
one
move
because
of
the
other.
B
They're
sent
at
different
times,
so
it's
not
necessarily
true
like
if
you
sent
one.
If
you
updated
your
your
schema
and
then
your
token
expired.
B
B
I'm
having
a
lot
of
drop
down
tool,
tip
problems
today,
but
yeah
I
mean,
I
think,
that's
it's
a
quite
it's
a
it's
a
bit
of
a
quagmire.
Isn't
it
like
where
to
I
see
what
you
mean,
though
I
mean
I
do
worry
a
lot
about
using
like
again.
The
coors
problem
is
a
big
problem,
but
like
using
fetch.
B
B
Thank
you.
Thank
you
for
for
attending
stalin.
It
was,
it
was
cool
to
have
you
on.
Please
come
back,
and
you
know
to
anybody
who
was
to
the
the
multiple
people
or
bots
that
were
spamming,
the
the
chat
it
says,
yep
naked
naked,
something
dot
x,
y
z,
love
to
cheap.
B
I
can't
say
that
word,
but
it
starts
with
f,
then
we're
in
then
we're
we're
those
expensive
ones
that
are
the
problem.
You
know
like
the
cheap
thing,
okay,
well
anyway,
thanks
again
for
coming
everyone
and
we'll
see
you
next
week,
bye.