Is it possible to Add/Delete User by API?

[Zhen-Bo]

I am currently deploying Photoview on my Synology NAS using Docker Compose.

version: "3"

services:
  db:
    image: mariadb:10.5
    restart: unless-stopped
    environment:
      - MYSQL_DATABASE=photoview
      - MYSQL_USER=photoview
      - MYSQL_PASSWORD=paver001958
      - MYSQL_RANDOM_ROOT_PASSWORD=1
    volumes:
      - ./db:/var/lib/mysql

  photoview:
    image: viktorstrate/photoview:2
    restart: unless-stopped
    ports:
      - "8888:80"
    depends_on:
      - db
    environment:
      - PHOTOVIEW_DATABASE_DRIVER=mysql
      - PHOTOVIEW_MYSQL_URL=photoview:paver001958@tcp(db)/photoview
      - PHOTOVIEW_LISTEN_IP=photoview
      - PHOTOVIEW_LISTEN_PORT=80
      - PHOTOVIEW_MEDIA_CACHE=/app/cache
    volumes:
      - ./cache:/app/cache
      - /volume1/photoserver/photobook:/photos:ro

As I have a requirement to add multiple users recently, I am considering using the API method instead of manual addition.
However, I have noticed that the documentation does not provide any guidance on how to utilize the API.
I attempted to add a new user through resending the original API behavior, but it was blocked.
request: /api/graphql

{
   "operationName":"createUser",
   "variables":{
      "username":"test1",
      "admin":false
   },
   "query":"mutation createUser($username: String!, $admin: Boolean!) {\n  createUser(username: $username, admin: $admin) {\n    id\n    username\n    admin\n    __typename\n  }\n}\n"
}

response:

{
  "errors": [
    {
      "message": "user must be admin",
      "path": [
        "createUser"
      ]
    }
  ],
  "data": null
}

Is there anyway to utilizing the API within my deployed environment?
And, how does one authenticate when utilizing the API?

[MacroPolo]

To use the Web API, you need to provide an auth-token in your HTTP request. Here's an example Python function which takes a JSON body to POST to the graphql endpoint.

def photoview_api_call(body):
    url = "http://127.0.0.1/api/graphql"
    
    headers = {
        "Content-Type": "application/json",
        "Cookie": "auth-token=AAAABBBBCCCC"
    }

    response = requests.post(url, headers=headers, data=body)
    #print(f"API Request: {response.request.body})

    return response

You can get an auth-token by checking what is sent by your web browser however those tokens will expire after a few weeks. For a more permanent solution, edit one of the entries in the access_tokens MySQL table and set the expire field to far in the future.

Here's an example body to send to the function, which creates a new user:

body = json.dumps({
    "operationName":"createUser",
    "variables":{"username":username, "admin":False},
    "query":"mutation createUser($username: String!, $admin: Boolean!) {\n  createUser(username: $username, admin: $admin) {\n    id\n    username\n    admin\n    __typename\n  }\n}\n"
})