AuthZ and subscriptions

[thuperthecret2]

I got @pothos/plugin-authz working along with the graphql-yoga plugins for @graphql-authz/envelop-plugin, @envelop/auth0 and useExtendContext. It works great on mutations and queries but it doesn't seem to work on subscriptions. I can subscribe without authentication. Is that expected right now? ie. is plugin-authz set up to control authorization to subscriptions or is that not implemented in either or both of plugin-authz or @graphql-authz/envelop-plugin? Or maybe I'm doing something wrong.

Here's a query that works great with AuthZ (fyi the IsAuthenticated rule checks the extended context for a user that is found through a prisma query based on the sub from the auth0 plugin, which is working fine):

builder.queryField('user', (t) =>
  t.prismaField({
    type: 'User',
    authz: {
      rules: ['IsAuthenticated'],
    },
    nullable: true,
    args: {
      id: t.arg.string({ required: true }),
    },
    resolve: async (query, root, args, ctx, info) => {
      return prisma.user.findUnique({
        ...query,
        where: {
          id: args.id,
        },
      })
    },
  }),
)

but this subscription authz rule doesn't seem to be working because it lets it subscribe without Authentication:

builder.subscriptionField('userSubscription', (t) =>
  t.field({
    type: SubscriptionUserEvent,
    authz: {
      rules: ['IsAuthenticated'],
    },
    nullable: true,
    args: {
      id: t.arg.id({ required: true }),
    },
    subscribe: (root, args, ctx) => ctx.pubsub.subscribe('user', args.id),
    resolve: (event) => event,
  }),
)

and also I tried putting the AuthZ rules on the event and that didn't stop an unauthenticated user from subscribing either:

const SubscriptionUserEvent = builder.objectRef<PubSubUserEvent>(
  'SubscriptionUserEvent',
)

SubscriptionUserEvent.implement({
  interfaces: [SubscriptionEvent],
  fields: (t) => ({
    user: t.prismaField({
      type: 'User',
      authz: {
        rules: ['IsAuthenticated'],
      },
      nullable: true,
      resolve: (query, event) =>
        prisma.user.findUnique({
          ...query,
          where: { id: event.user.id },
        }),
    }),
  }),
})

Just wondering if it's implemented yet or I'm doing something wrong, or if this is an AuthZ issue and not a Pothos issue.

[hayes]

This is likely an authz issue. I've been thinking about removing this plugin from the docs. My experience with it has been poor, and when I looked into it's implementation I found several instances of object rules not being applied correctly.

The Pothos plugin is extremely simple: https://github.com/hayes/pothos/blob/main/packages/plugin-authz/src/index.ts, it really just adds the rules to the extensions object for types/fields. Most of it is just about creating nice types, and all the actual logic is implemented by authz.

I would strongly recommend the scope auth plugin instead. There is also an example of how to use graphql shield in the examples folder on GitHub if you prefer that.

[thuperthecret2]

I implemented plugin-scope-auth which is working nicely for queries and mutations, thanks for that.
I put an isAuthenticated check on a subscription.
However it seems I can connect to the subscription without Authentication, and it only errors out when a change to the data is detected and the subscription tries to resolve, then I get the ForbiddenError: Not authorized to resolve Subscription.userSubscription.
Is there an easy way to stop the client from even subscribing in the first place if they can't pass the isAuthenticated check? I think that's necessary for security.
Here's my subscription:

builder.subscriptionField('userSubscription', (t) =>
  t.field({
    type: SubscriptionUserEvent,
    authScopes: {
      isAuthenticated: true,
    },
    nullable: true,
    args: {
      id: t.arg.id({ required: true }),
    },
    subscribe: (root, args, ctx) => ctx.pubsub.subscribe('user', args.id),
    resolve: (event) => event,
  }),
)

[hayes]

Just published a new version with an option to enable that: 8568792?notification_referrer_id=NT_kwDOAAx1j7E1MjY1MDgzMDg5OjgxNjUyNw

[thuperthecret2]

Fantastic! Works great, thank you so much.

[thuperthecret2]

FYI I noticed plugin-scope-auth doesn't seem to be compatible with @graphql-yoga/plugin-response-cache. I am getting cached responses on subsequent unauthenticated calls. Does that sound about right? I think yoga's plugin-response-cache wraps the execution, before scope auth kicks in. My client will be a Vue 3 app... guessing I'll have to cache on the frontend using a client like urql or villus (I'm trying something other than vue-apollo).

[hayes]

yes, that sounds right.

Pothos is purely a schema building library, and all it's features and plugins work by building a schema with resolvers that implement those features. Basically what this means is that things like checks are run when the resolvers for the schema are run. If you cache the result of running the revolvers (by hooking in at some higher layer in the execution process) nothing pothos produces has a chance to execute.

In general caching and auth can be tricky to combine safely. Caching client side is ussualy the easy and safe option. To cache server side you may need to do something like including a session or user ID in your cache key.