0

I've created an apollo-server with graphql-subscriptions, and that's all good so far. I can receive publications on the front-end. Great!

What I want to do now is only send publications to authorized users, so, some sort of logic/test needs to be done. But where and how? All the examples and things I've seen involve blindly receiving messages from a redis server, and setting it back to the client. I can test which user is logged in, but what now? Individual microservices will talk to an auth/user service and decide allowed actions based on that. No problem. But how do I stop redis broadcasts from getting to the wrong users? All apollo-server does is listen to messages from redis - not validate them.

The only thing I can really think of is have some sort of permissions object field on every broadcast, and using graphql to validate it against the auth service. Does not seem right. I want my auth done in the microservices. Anything pointing me in the right direction would be amazing.

antirealm
  • 408
  • 3
  • 10
  • Not sure if it helps you but this is what I do: every notification/message/event source specify the destination user ID of the message or null. The nodejs server (the servers where all clients are connected to, acting as a proxy) sends the message only to the clients authenticated with that user ID. If the user ID is `null` then the message is broadcasted. When a message needs to be sent to multiple users then the message is multiplied. I use web clients (HTML/JS), a PHP backend and nodejs as Server Sent Endpoint. – Constantin Galbenu Nov 14 '17 at 06:22
  • that does help a lot! thanks. so in my case, apollo-server is the proxy, so each microservice should do authorization checks before sending out the message? i guess that means there is a user service dependency in the proxy? – antirealm Nov 14 '17 at 13:55

1 Answers1

0

Assuming you are using also Apollo in the client you can send a token or any other parameter you use for authentication alongside to the websocket connection. You can read more here: https://www.apollographql.com/docs/react/features/subscriptions.html#authentication

In the Apollo Server you can then authenticate the user for example onConnect: https://www.apollographql.com/docs/graphql-subscriptions/authentication.html

You may also bake some claims into the token which define if a user can connect, publish or receive message and then pass along the token or verified users to Redis if you will otherwise call your user/auth service accordingly to verify the user and then proceed.

You can additionally add verification in onOperation parsing the subscription/message to validate for example a user on subscribing to a channel/topic. I highly recommend you to read this as a great sample: https://medium.com/react-native-training/building-chatty-part-7-authentication-in-graphql-cd37770e5ab3

Hope that helps.

Tobias Meixner
  • 1
  • 1