@Authorized in subscriptions

[MichalLytek]

Right now @Authorized in subscriptions cause that the autorization checker is called only when pubsub emit new event in selected topic (when subscription method body is called). But it should be called only during subscribe phase to reject unauthorized clients.

This would require some changes in creating middlewares stack that is applied only for resolvers. For now I will handle that case manually without exposing different kind of middlewares.

[nudabagana]

I would like to suggest a workaround for refusing connections in resolvers @19majkel94 :
first you make authorization in onConnect
(but don't reject the socket yet, just return the status)

const subscriptionServer = new SubscriptionServer({
  schema,
  execute,
  subscribe,
  onConnect(connectionParams) {
   // ... do authorization
  return { authorized: false }; // or true
  }
...

next off, when declaring your topic in subscribtion you can access the .authorized field:

  @Subscription({
    topics: ({ args, context, payload }) => {
      if (!context.authorized )
      {
          // this gives user error response and cancels subsribtion
          throw new AuthenticationError(`Unauthorized user cannot receive info from this socket`);
      }
      return SOME_TOPIC;
}
  })
  accountBalanceChangeTopic(
//...
}

throwing error inside topics ( or filters) results in socket connection being closed (and send a desired error to user).

[Adam-Burke]

Just wondering if I could get some information about whether this is still an issue and if so where it is in the pipeline?

[MichalLytek]

It's related to #200 and will be handled in the 1.0.0 milestone.