Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support JWT expiration with subscription #3947

Closed
Geal opened this issue Oct 2, 2023 · 0 comments · Fixed by #4166
Closed

Support JWT expiration with subscription #3947

Geal opened this issue Oct 2, 2023 · 0 comments · Fixed by #4166
Assignees
Labels
component/auth component/subscriptions Pertaining to GraphQL Subscriptions in the Router

Comments

@Geal
Copy link
Contributor

Geal commented Oct 2, 2023

If a JWT provided with a subscription request expires while the subscription is live, then the subscription should not be authorized anymore, and should be closed (there is no mechanism right now to renew a token while in a subscription).
The authentication plugin should store the expiration date, and add an execution plugin that checks the expiration date.

@bnjjj bnjjj added the component/subscriptions Pertaining to GraphQL Subscriptions in the Router label Oct 2, 2023
garypen added a commit that referenced this issue Nov 8, 2023
If a JWT expires whilst a subscription is executing, the subscription
should be terminated.

fixes: #3947
garypen added a commit that referenced this issue Nov 13, 2023
If a JWT expires whilst a subscription is executing, the subscription
should be terminated.

fixes: #3947

<!-- start metadata -->
---

**Checklist**

Complete the checklist (and note appropriate exceptions) before the PR
is marked ready-for-review.

- [x] Changes are compatible[^1]
- [x] Documentation[^2] completed
- [x] Performance impact assessed and acceptable
- Tests added and passing[^3]
    - [ ] Unit Tests
    - [ ] Integration Tests
    - [x] Manual Tests

**Exceptions**

It's tricky to automatically test token expiration, so I've tested this
feature manually. I used:
https://www.unixtimestamp.com/
https://jwt.io/
to generate timestamps and then JWT tokens using those timestamps as
`exp` claims.

I ran a router configured to support JWT authn and subscription and then
subscribed to a feed using `curl` and ensured my subscription timed out.
Sample output snippet:
```
--graphql
content-type: application/json

{"payload":{"data":{"reviewAdded":{"id":4}}}}
--graphql
content-type: application/json

{}
--graphql
content-type: application/json

{"payload":null,"errors":[{"message":"subscription closed because the JWT has expired","extensions":{"code":"SUBSCRIPTION_JWT_EXPIRED"}}]}
--graphql--
``` 

**Notes**

[^1]: It may be appropriate to bring upcoming changes to the attention
of other (impacted) groups. Please endeavour to do this before seeking
PR approval. The mechanism for doing this will vary considerably, so use
your judgement as to how and when to do this.
[^2]: Configuration is an important part of many changes. Where
applicable please try to document configuration examples.
[^3]: Tick whichever testing boxes are applicable. If you are adding
Manual Tests, please document the manual testing (extensively) in the
Exceptions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component/auth component/subscriptions Pertaining to GraphQL Subscriptions in the Router
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants