Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT auth + refresh token issue #68

Closed
akaNightmare opened this issue May 28, 2017 · 4 comments
Closed

JWT auth + refresh token issue #68

akaNightmare opened this issue May 28, 2017 · 4 comments
Labels
question

Comments

@akaNightmare
Copy link

I use JWT auth for authentication and no problems with apollo client authentication because http://dev.apollodata.com/core/network.html#networkInterfaceMiddleware even when token refreshes, but I have the issue with graphql subscriptions authentication. According to https://github.com/apollographql/graphql-subscriptions/blob/master/.designs/authorization.md and https://github.com/apollographql/tools-docs/blob/master/tools/graphql-subscriptions/authentication.md token sets once only (connectionParams: {token: 'some string'} and lazy: true) on initialisation SubscriptionClient and it works fine, but not when token refreshes.

Technologies/libs which I use in my project:

  • vue
  • vue-auth
  • vue-apollo
  • expressjs
  • graphql-subscriptions
  • subscriptions-transport-ws
  • graphql
@dotansimha
Copy link
Contributor

@akaNightmare
I think this issue is more related to subscriptions-transport-ws package.
Since version 0.7.0 of the transport, you can specify onOperation and add custom logic to verify your token, then return a new context when each operation is executed.
You can see an example for this in GitHunt server example: https://github.com/apollographql/GitHunt-API/blob/master/api/server.js#L160

@DxCx
Copy link

DxCx commented Jun 1, 2017

@dotansimha websocket is not like http,
http will need to reconstruct the session every request, but on websocket
context can be constructed once on connect phase and then you can keep the session,
onOperation should just attach this session..

@dotansimha
Copy link
Contributor

@DxCx I know, and we had a discussion about it few months ago.
It's hard to maintain authentication with refresh tokens when using WebSocket connection, because validating it in during the construction of the connection is not enough sometimes, and validating it every message is probably too heavy.

In the ws transport with have both onConnect and onOperation, and I think that each application should choose the best flow and solution for itself.

@larixer larixer mentioned this issue Sep 7, 2017
Merged
@grantwwu
Copy link
Contributor

If you're still having problems with this, please reply below... not quite sure if this is the right place for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@DxCx @dotansimha @akaNightmare @grantwwu