Enforce JWT expiration for subscriptions

[garypen]

If a JWT expires whilst a subscription is executing, the subscription should be terminated.

fixes: #3947

---

Checklist

Complete the checklist (and note appropriate exceptions) before the PR is marked ready-for-review.

• Changes are compatible¹
• Documentation² completed
• Performance impact assessed and acceptable
• Tests added and passing³
  • Unit Tests
  • Integration Tests
  • Manual Tests

Exceptions

It's tricky to automatically test token expiration, so I've tested this feature manually. I used:
https://www.unixtimestamp.com/
https://jwt.io/
to generate timestamps and then JWT tokens using those timestamps as exp claims.

I ran a router configured to support JWT authn and subscription and then subscribed to a feed using curl and ensured my subscription timed out. Sample output snippet:

--graphql
content-type: application/json

{"payload":{"data":{"reviewAdded":{"id":4}}}}
--graphql
content-type: application/json

{}
--graphql
content-type: application/json

{"payload":null,"errors":[{"message":"subscription closed because the JWT has expired","extensions":{"code":"SUBSCRIPTION_JWT_EXPIRED"}}]}
--graphql--

Notes

Footnotes

1. It may be appropriate to bring upcoming changes to the attention of other (impacted) groups. Please endeavour to do this before seeking PR approval. The mechanism for doing this will vary considerably, so use your judgement as to how and when to do this. ↩

2. Configuration is an important part of many changes. Where applicable please try to document configuration examples. ↩

3. Tick whichever testing boxes are applicable. If you are adding Manual Tests, please document the manual testing (extensively) in the Exceptions. ↩

[router-perf]

CI performance tests

• events_big_cap_high_rate - Stress test for events with a lot of users, deduplication enabled and high rate event with a big queue capacity
• events_without_dedup - Stress test for events with a lot of users and deduplication DISABLED
• events - Stress test for events with a lot of users and deduplication ENABLED
• large-request - Stress test with a 1 MB request payload
• step - Basic stress test that steps up the number of users over time
• xlarge-request - Stress test with 10 MB request payload
• reload - Reload test over a long period of time at a constant rate of users
• no-graphos - Basic stress test, no GraphOS.
• xxlarge-request - Stress test with 100 MB request payload
• step-jemalloc-tuning - Clone of the basic stress test for jemalloc tuning
• const - Basic stress test that runs with a constant number of users

[bnjjj]

cc @martinbonnin @alessbell @calvincestari in case you would like to do something specific in your client with that error code

[Geal]

could it be enforced on the request side, before executing the subscription?

[bnjjj]

Oh yes good catch ! I think you can move your logic right here gary to not try to fetch data from subgraphs if your jwt is expired

[garypen]

I've split the logic for enforcement and now enforce subscription expiration in the request as @bnjjj suggested. I've left the defer enforcement in the response. We could remove that I suppose, but it's probably better to have it than not.