How to handle authorization in subscriptions?

[RobertoOrtis]

How Can I handle authorization in subscriptions? The current recipe is outdated. I managed to set authorization for queries and mutations. Can somebody point me into the right direction?

[razorness]

• Transmit Authorization
  • You can choose using a cookie, then it's as easy as a default middleware.
  • Otherwise you can use InitFunc of transport.Websocket and then making your check of credentials sent as transport.InitPayload (f.e. JWT/Token).
• Then you can pack that stuff into a context.Context together with a cancel func. Later, in your handler, you can verify authorization again and if not valid, exec cancel func and stop pushing non-nil values. Gqlgen will stop sending keep alive messages. So unauthorized client will disconnect by itself.

[RobertoOrtis]

I got it till the part of the InitFunc and checking the credentials of the user when starts listening to the subscription. If they are invalid, it closes the subscription.

I do not know how to access the cancelFunc though. Could you please tell how to access this function?

[razorness]

Here is a simple example:

// appContext.go
const (
	AppContextKey = "appContext"
)

type AppContext struct {
	Token          string
	UserId         string
	Cancel         context.CancelFunc
}

func ForAppContext(ctx context.Context) *AppContext {
	c, _ := ctx.Value(AppContextKey).(*AppContext)
	return c
}

// init.go
	h := handler.New(generated.NewExecutableSchema(generated.Config{Resolvers: &resolver.Resolver{}}))
	// ...
	h.AddTransport(transport.Websocket{
		Upgrader: websocket.Upgrader{
			HandshakeTimeout: time.Minute,
			CheckOrigin: func(r *http.Request) bool {
				// we are already checking for CORS
				return true
			},
			EnableCompression: true,
		},
		InitFunc: func(ctx context.Context, initPayload transport.InitPayload) (context.Context, error) {
			if token := initPayload.Authorization(); middleware.CouldBetoken(token) {
				if intro, err := oauth2.IntrospectToken(token[7:], false); err == nil && intro != nil && oauth2.IsIntrospectionValid(intro) {
					nctx, cancel := context.WithCancel(ctx)
					return context.WithValue(nctx, middleware.AppContextKey, &middleware.AppContext{
						Token:          token[7:],
						UserId:         intro.Sub,
						Cancel:         cancel,
					}), nil
				}
			}
			return ctx, errors.New("AUTHORIZATION_REQUIRED")
		},
		KeepAlivePingInterval: viper.GetDuration(config.WebsocketKeepAliveKey),
	})
	// ...

// resolvers.go
func (r *subscriptionResolver) Notification(ctx context.Context, id string) (<-chan *model.Notification, error) {
	appContext := middleware.ForAppContext(ctx)
	if !oauth2.IsValid(appContext.Token) {
		appContext.Cancel() // stop sending keep alive
		return nil, nil
	}
	// ...
}

I would love to have the ability to close the websocket entirely instead of hoping the client disconnects. In a way like this:

// resolvers.go
func (r *subscriptionResolver) Notification(ctx context.Context, id string) (<-chan *model.Notification, error) {
	appContext := middleware.ForAppContext(ctx)
	if !oauth2.IsValid(appContext.Token) {
		conn := middleware.ForWsConnection(ctx)
		conn.Close(websocket.CloseNormalClosure, "unauthorized")
		return nil, nil
	}
	// ...
}

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[JoleMile]

Hello, I also have issues getting the authentication working with subscriptions.
I'm using the following package for auth:
github.com/go-chi/jwtauth

It works great for queries and mutations as it gets the token from the request header and stores it into the context of the resolver. Unfortunately, it doesn't work for subscriptions. Does anyone know why or how to get it working using the previously mentioned package?

Thanks

[AndriyKalashnykov]

@JoleMile can you share you example at least the part how auth works with queries/mutations and hopefully subscriptions?

[razorness]

You have to check authentication on init and store all you need in returned context. Then you can access this data and recheck authentication and authorization in your subscription resolver.

#1297 (comment)

This example should be very similar when using jwt.

[JoleMile]

@razorness I see. That actually makes sense after reading a bit more about the websocket protocol. Thank you :)

[keshav-dataco]

@razorness with gin router, do you have to mount the subscription endpoint separate to query and mutation?

for example what we have is

backend.Any("/graphql", middleware.EnsureValidToken(config))

That middleware validates the token etc.. I understand for subscription same validation has to be done in InitFunc as well. Is that understanding correct?

[razorness]

This is only the case when you are using Cookies to store and transmit your authentication or you manipulate your request to contain your token inside the headers. Otherwise you have to validate authentication in the init function (ConnectionInit).
However, since websocket is a persistent connection, you have to validate the authentication again within your resolvers.
A simple middleware is not aware of a connection which could possibly last longer than a cookie/token and can contain a large number of inner messages.

The GraphQL over WebSocket Protocol defines the message type ConnectionInit, which can be used for initial authentication on connect.

See:
https://github.com/enisdenjo/graphql-ws/blob/master/PROTOCOL.md#successful-connection-initialisation

If you are using subscriptions, you should revalidate authentication on every single message before pushing into the channel.

So, there are 3 positions to validate authentication:

• On connect: cookie or connection init
• On accessing resolvers
• On pushing into subscription channels

[keshav-dataco]

what if we mount subscriptions on a separate endpoint

backend.Any("/subscription")

We then validate the token in InitFunc like your example and every time the resolver is called. Is that right?

Clients can then send requests to ws://localhost:8080/subscriptions