auth on a per topic basis

[fierysolid]

I currently authenticate the client in the context function before creating the graphql context for the connection.

  const serverCleanup = useServer(
    {
      schema,
      context: async (ctx, msg) => {
        if (ctx.connectionParams.authToken) {
          const me = getMe(ctx.connectionParams.authToken);
          return {
            me,
          };
        }
        throw new Error("Missing auth token!");
      },
    },
    wsServer
  );

Once the user is connected, they can subscribe to specific chats within our app that they may or may not have access to. We currently check if a user should receive a message as we iterate through the active subscriptions in the subscribe function of the subscription resolver.

  Subscription: {
    messageCreated: {
      subscribe: withFilter(
        () => pubsub.asyncIterator(EVENTS.MESSAGE.CREATED),
        async (msg, { chatId }, { me }) => {
          const hasAccess = getChatUser(me.id, msg.chatId);
          return chatId === msg.chatId && hasAccess;
        }
      ),
    },
  },

I would like to instead move the authentication logic to onSubscribe function so that only users with access can subscribe and we only have to check their access once when they subscribe to a topic. I worry that once we deny a connection, I'm not sure how to make the apollo hook useSubscription try to reconnect once they have gained access one way or another.

I'd like to pose the question to the community and contributors:

How would you recommend implementing authentication per user per chat?

[enisdenjo]

You can indeed use the onSubscribe server hook. To deny a subscription, you can just return an error from it and handle the error however you please on the client.

async function onSubscribe(ctx, msg) {
  const can = await checkCanSubscribe(ctx, msg);
  if (!can) {
    // user doesnt have access, return error for this exact subscription
    return [new GraphQLError('Forbidden')];
  }

  // user has access, return nothing to proceed with the regular flow
}

[fierysolid]

Got it, so this works exactly as I expected. It seems I need to do some research into how to get Apollo useSubscription to retry the subscription once the user gains access to a chat.

[enisdenjo]

Cool, glad it works! Since you know exactly what the error would be if the client doesn't have access, I guess you can make a queue of denied subscriptions and just flush it once access changes.