-
-
Notifications
You must be signed in to change notification settings - Fork 742
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication of Websocket connection #1732
Comments
Hi @Zaixu |
Hi @PascalSenn |
@Zaixu I think we would need to intercept every single message to achieve this. (Especially in the second case 😄 ) I am not even sure if such an interceptor even exists atm. |
I was working on adding subscription, and got user not authorized after implementing the code Pascal wrote. To get things working with the Authorize attribute I had to add the changes I made in this commit: add ClaimsPrincipal to ContextData workaround websocket auth I'am no expert at all but it looks like when using websocket the ClaimsPrincipal is not forwarded, is this on intention or a bug? @PascalSenn @michaelstaib |
@PetterRein this one is related #1319 Also discussed at: dotnet/aspnetcore#2881 |
Thank you! So this is a "problem" with aspnetcore itself and not HotChocolate, looks like I have to look into SingalR. |
@PetterRein AFAIK SignalR has the same problem. But the code in your repo seems to works just fine. I will try and see if I can do a PR for your code to HC. Will make sure it is still configurable. |
You save my weekend! But, we can do it easer with // The second parameter of the AddGraphQL method:
(IQueryExecutionBuilder builder) => builder
.Use(next => async context =>
{
var hca = context.Services.GetRequiredService<IHttpContextAccessor>();
context.ContextData["ClaimsPrincipal"] = hca.HttpContext.User;
await next(context);
})
.UseDefaultPipeline() |
@michaelstaib @PascalSenn: What is the proper way of authentication/authorization for subscriptions in the GraphQL server? I could not find a complete example in the docs. |
Stale issue message |
have a look at the gits of pascal: |
As the title. How is this supposed to work with HotChocolate? I cant seem to wrap my head around it.
As websockets doesnt send headers. If the connection cant be stopped, data can be sniffed.
Am i missing something here? Seing as authorize attribute will only return unauthorized, as there is no bearer token. I could send a parameter in with websocket, but it looks to me hotchocolate is taking care of the whole connection in its middleware, where there is no auth handling.
`
`
The text was updated successfully, but these errors were encountered: