-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[websocket] Add a config to reject initial connection #750
Conversation
…ebsocket init requests
@@ -12,7 +12,7 @@ import ( | |||
|
|||
"github.com/99designs/gqlgen/graphql" | |||
"github.com/gorilla/websocket" | |||
"github.com/hashicorp/golang-lru" | |||
lru "github.com/hashicorp/golang-lru" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My IDE linter does this automatically 😬
@@ -30,6 +30,8 @@ type params struct { | |||
Variables map[string]interface{} `json:"variables"` | |||
} | |||
|
|||
type websocketInitFunc func(ctx context.Context, initPayload InitPayload) error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the interface to return error
instead of bool
@@ -94,6 +94,14 @@ func (c *wsConnection) init() bool { | |||
} | |||
} | |||
|
|||
if c.cfg.websocketInitFunc != nil { | |||
if err := c.cfg.websocketInitFunc(c.ctx, c.initPayload); err != nil { | |||
c.sendConnectionError(err.Error()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The server now has the option to return an error. The error body is then sent to the client
…heck [websocket] Add a config to reject initial connection
Problem
Currently, we are allowing clients to always connect to the server unless the message is invalid. Current implementation here
This is not safe as a malicious user can connect to the WebSocket and perform queries/mutations. An example of such message:
We would have to check in every query/mutation/subscription to make sure that a user can perform such action (related PR: #348).
Proposal
This PR adds a new function to handler config called
websocketOnInitFunc
. This can be used by the server to check the init payload to decide whether to establish the connection or reject it. If this function is not given, the connection is always established.Example workflow
This is an example workflow, different apps may have different approaches:
4a. If they are the same, create the connection
4b. If they are not the same, close the connection and send back a
invalid init payload
messageAccepted connection:
Rejected connection:
I have: