GraphQL subscription with security context awareness

[mswiderski]

Hi,

I am working on a use case where GraphQL subscriptions should be security context aware. What I mean by that is when clients subscribe to given GraphQL subscription all events sent through that subscription should be filtered by the security context of the caller.

For example if I have two clients client A and client B where first one is member of managers and the other is member of employees and they both subscribe to GraphQL subscription news I would like to make sure that events on news are filtered based on membership of the caller. So when there are news restricted to managers I would like to make sure that only client A will get those and not client B.

I looked at the BroadcastProcessor class that has the subscriptions but there is no way to do any filtering on it.

So the question, is there anyway to make this happen? Does the subscription have any security context available on it?

Any and all feedback more than welcome :)

[phillip-kruger]

Hi @mswiderski ! I assume this is in Quarkus ? We still have quarkusio/quarkus#20092 on our TODO list, just need to find time to look at this. I would need some help from @sberyozkin on how this should be handled.

[mswiderski]

Hi @mswiderski ! I assume this is in Quarkus ?

correct, it is on Quarkus

good to hear it's on the list :)

[mswiderski]

so the linked quarkus issue is partially related and then the remains part is how to gain access to that security context info to do custom filtering via the BroadcastProcessor that is behind GraphQL subscription. Right?

[phillip-kruger]

Yes, that is. Great. Maybe add that context to the issue so that we do not forget ?

[mswiderski]

just some heads up that I managed to make it work for the use case I have.

It was by extending BroadcastProcessor class (since it does not allow to be simply extended - private constructor, I had to copy it) to add additional onNext method that takes both the item and object that has access restriction info and then the most important part - upon adding subscription identity of the caller is associated with subscription itself so the onNext methods can examine it before submitting the item to given subscription.

Works well for what I needed. If you ask me what might be improved to make it easier - allowing to extend BroadcastProcessor and its BroadcastSubscription would make it way easier and the most important won't need to have a copy of these classes.