Subscription Authorization cannot be retrieved from payload (payload is empty)

[outsidebedisdoor]

What happened?

This is my handler setting below:
h := handler.GraphQL(Application.NewExecutableSchema(Application.Config{Resolvers: &Application.Resolver{}}),handler.WebsocketUpgrader(websocket.Upgrader{CheckOrigin: func(r *http.Request) bool {return true}}))

s.Router.OPTIONS("/graphql", myCORSMiddleWare(func(c *gin.Context) {}))

s.Router.GET("/graphql", myCORSMiddleWare(myBearerAuthMiddleWare(graphqlHandler(h))))

s.Router.POST("/graphql", myCORSMiddleWare(myBearerAuthMiddleWare(graphqlHandler(h))))`

Inside of my myBearerAuthMiddleWare, I am checking the context of gin and using GetInitPayload function to get the payload of Websocket request. However, the payload is empty.

payload = handler.GetInitPayload(myContext)

What did you expect?

I expect that the payload is not empty and with payload.Authorization() I can get the bearer token passed by from the client side.

Minimal graphql.schema and models to reproduce

versions

• gqlgen version? 0.8.3
• go version? go1.12 darwin/amd64
• dep or go modules? dep v0.5.1

[JulienBreux]

Hi @outsidebedisdoor,

You must also pass your auth in the WS payload. e.g. with Apollo WS-Link auth.

• https://github.com/apollographql/apollo-link/blob/master/packages/apollo-link-ws/src/webSocketLink.ts#L18

   wsLink = new WebSocketLink({
      uri: "ws://...",
      options: {
        connectionParams: () => {
          const auth = {"Authorization": "Bearer ..."}
          return auth.headers
        },
        reconnect: true
      }
    })

I hope that helps you!

[outsidebedisdoor]

@JulienBreux Yep I have done the exact same thing for my client side. And I still cannot get anything there.

[mtourne]

I believe I have found a way to make this work :

I used the fourth option of subscription-transport-ws SubscriptionClient (it's a straight pass through from WebSocketLink in the example above)

that undocumented option lets me tweak the Sec-Websocket-Protocol header, which is really the only header I can set. as described by this answer : https://stackoverflow.com/a/35108078/118755

the code looks like this :

        const authHeader = getAuthHeader();

        const subscriptionClient = new SubscriptionClient(
            url.replace("http", "ws"),
            {
                reconnect: true,
                connectionParams: () => {
                    console.log("calling connection params callback");
                    return {
                        foo: "BAR",
                    }
                }
            },
            null,
            [ "graphql-ws", authHeader["authorization"].replace(/ /g, "+") ]);

        wsLink = new WebSocketLink(subscriptionClient);

I had to replace the spaces by "+" in the token otherwise I would get errors.

All I have to do on the Go server side is remove the "graphql-ws, " first found in the header and break the auth header with "+" instead of spaces but everything else is the same as checking my Authorization header. The "graphql-ws" will be returned by the ws upgrader which is the preferred protocol that we've indicated.

I believe the alternative (probably less hacky!) is to create a new endpoint in your Go mux router specifically for websockets and perform the Auth not at the header levels but in the first packet at the application level. The connectionParams will get sent once the connection is established, but you need to upgrade the connection and return a 200 first.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.