feat: add a onSubscriptionConnect function to to security service for…

… handling auth in subscriptions
aerogear · May 16, 2019 · d12868f · d12868f
1 parent 0e37291
commit d12868f
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 4 deletions.
diff --git a/packages/voyager-keycloak/src/KeycloakSecurityService.ts b/packages/voyager-keycloak/src/KeycloakSecurityService.ts
@@ -90,9 +90,28 @@ export class KeycloakSecurityService implements SecurityService {
     }
   }
 
-  public async validateToken(token: string): Promise<boolean> {
-    const tokenObject = getTokenObject(token)
-    const result = await this.keycloak.grantManager.validateToken(tokenObject, 'Bearer')
-    return (result === tokenObject) ? true : false
+  public async onSubscriptionConnect(connectionParams: any, webSocket: any, context: any): Promise<any> {
+    let header = connectionParams.Authorization
+                  || connectionParams.authorization
+                  || connectionParams.Auth 
+                  || connectionParams.auth
+    if (!header) {
+      throw new Error('Access Denied - missing Authorization field in connection parameters')
+    }
+    const token = this.getBearerTokenFromHeader(header)
+    try {
+      await this.keycloak.grantManager.validateToken(token, 'Bearer')
+      return token
+    } catch (e) {
+      this.log.error(`Error validating token from connectionParam ${header}\n${e}`)
+      throw new Error(`Access Denied - ${e}`)
+    }
+  }
+
+  private getBearerTokenFromHeader(header: any) {
+    if (header && typeof header === 'string' && (header.indexOf('bearer ') === 0 || header.indexOf('Bearer ') === 0)) {
+      const token = header.substring(7)
+      return getTokenObject(token)
+    }
   }
 }
diff --git a/packages/voyager-keycloak/src/api/DefaultSecurityService.ts b/packages/voyager-keycloak/src/api/DefaultSecurityService.ts
@@ -17,6 +17,10 @@ export class DefaultSecurityService implements SecurityService {
   public getAuthContextProvider () {
     return DefaultAuthContextProvider
   }
+
+  public onSubscriptionConnect() {
+    return new Promise((resolve, reject) => resolve())
+  }
 }
 
 export class DefaultAuthContextProvider implements AuthContextProvider {

diff --git a/packages/voyager-keycloak/src/api/KeycloakSecurityServiceOptions.ts b/packages/voyager-keycloak/src/api/KeycloakSecurityServiceOptions.ts
@@ -1,5 +1,6 @@
 export interface Logger {
   info(...args: any[]): void
+  error(...args: any[]): void
 }
 
 export interface KeycloakSecurityServiceOptions {

diff --git a/packages/voyager-keycloak/src/api/SecurityService.ts b/packages/voyager-keycloak/src/api/SecurityService.ts
@@ -43,4 +43,19 @@ export interface SecurityService {
    * Like hapi, koa, fastify, etc.
    */
   applyAuthMiddleware (expressApp: Router, options: any): void
+
+  /**
+   * onSubscriptionConnect is called when a client opens a websocket connection
+   * for a GraphQL subscription. Anything returned from this function is added 
+   * to the context within subscription resolvers
+   * The main use case here is auth. Example - we could parse and validate a token
+   * from the connectionParams and return a user object. Now this object is accessible
+   * Within the subscription context.
+   * Apollo docs: https://www.apollographql.com/docs/graphql-subscriptions/authentication
+   * 
+   * @param connectionParams connection parameters provided by the websocket client
+   * @param webSocket The websocket object
+   * @param context
+   */
+  onSubscriptionConnect(connectionParams: any, webSocket: any, context: any): Promise<any>
 }