Describe the bug
The documentation for authorizing subscriptions says the authorized? method...
"may return false or raise a GraphQL::ExecutionError to halt execution"
However, while returning false does ensure the payload is nil, the subscription is still registered via write_subscription. Every subsequent trigger to the topic will send these unauthorized subscriptions an empty payload. No data leaks, but unauthorized subscribers still know something happened.
Additionally, the Authorization docs state this behavior can be customized by implementing Schema.unauthorized_object, however that doesn't to get called for subscriptions. (Perhaps related to #2048?)
Versions
graphql: 1.12.5graphql-pro: 1.17.8rails: 5.2
GraphQL schema
Example:
class UpdateType < GraphQL::Schema::Object
field :message, String, null: true
end
class Updates < GraphQL::Schema::Subscription
payload_type UpdateType
def authorized?(**)
false
end
end
class MySchema < GraphQL::Schema
class SubscriptionType < GraphQL::Schema::Object
field :updates, subscription: Updates, null: true
end
use GraphQL::Subscriptions::ActionCableSubscriptions
subscription SubscriptionType
def self.unauthorized_object(error)
raise GraphQL::ExecutionError, "Unauthorized access" # <== This never gets called
end
def self.unauthorized_field(error)
raise GraphQL::ExecutionError, "Unauthorized access"
end
end
GraphQL query
subscription Updates {
updates {
message
}
}
Expected behavior
GraphQL::Schema::Subscription#authorized? should prevent the subscription from getting added to the subscriptions store (via write_subscription).GraphQL::Schema::Resolver#resolve_with_support should call Schema.unauthorized_object instead of returning nil as per https://graphql-ruby.org/authorization/authorization.html#handling-unauthorized-objectsmeenie, tienle and kaka-ruto
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4