search

adonisjs / transmit-client

A client for the native Server-Sent-Event module of AdonisJS
MIT License
22 stars 3 forks source link

Header authentication for `__transmit/events` route #8

Open jln-brtn opened 1 month ago

jln-brtn commented 1 month ago

Package version

1.0.0

Describe the bug

Hey Adonis team, Long story short : I have an Adonis application and I tried to add the server-side-events with Transmit. To do it properly, I ask the client to be authenticated according to the documentation : 

// Ensure you are authenticated to register your client
  if (route.getPattern() === '__transmit/events') {
    route.middleware(middleware.auth())
    return
  }

In my case, I'm using bearer tokens, so I need to add it to the header using the beforeSubscribe function, as describe in this ticket #3. 

const transmit = new Transmit({
  baseUrl: 'https://bug-transmit-client.free.beeceptor.com',
  beforeSubscribe: (request) => {
    console.log('test')
    request.credentials = 'omit'; 
    request.headers.append('ping', 'pong')
  },
});

However, I'm facing an issue : the client never adds the header value (so the server returns a 401 error).

I created a simple application to reproduce the bug. This application send the /__transmit/events to the beeceptor mock. As expected, the header value is not received. My analysis, at this point, is that beforeSubscribe only working for /__transmit/subscribe.

Therefore, my questions :

  1. Is it possible/relevant to protect /__transmit/events as describe in the doc ?
  2. Is exists a method to add the header authentication value like beforeEvent?

Best regards, Julien

Reproduction repo

https://github.com/jln-brtn/bug-transmit-client

rbartholomay commented 1 month ago

I have the same problem here.

Any idea how to solve this?

Bye, René

jln-brtn commented 1 month ago

Hi René, I have no workaround currently. So I moved the authentication to the subscribe. If I have time, I will create a new method beforeEvents and do a PR. Best regards, Julien

rbartholomay commented 1 month ago

ok, this workaround works also in my case... thanks!

René

kamilcglr commented 6 days ago

So I moved the authentication to the subscribe.

Hello @jln-brtn and @rbartholomay I have the same issue... What do you mean by "to the subscribe". Thank you in advance

jln-brtn commented 6 days ago

Hey @kamilcglr, You can only protect the __transmit/subscribe leading to something like that in your route.ts : 

transmit.registerRoutes((route) => {
  // Ensure you are authenticated to subscribe
  if (route.getPattern() === '__transmit/subscribe') {
    route.middleware(middleware.auth())
    return
  }
})

You can't protect __transmit/events because Adonis will never receive the token (according to the issue describe above). So it must remain opened.

kamilcglr commented 6 days ago

Hey @kamilcglr, You can only protect the __transmit/subscribe leading to something like that in your route.ts :

transmit.registerRoutes((route) => {
  // Ensure you are authenticated to subscribe
  if (route.getPattern() === '__transmit/subscribe') {
    route.middleware(middleware.auth())
    return
  }
})

You can't protect __transmit/events because Adonis will never receive the token (according to the issue describe above). So it must remain opened.

Thanks 👍 Have you started working on a PR? I could try to do it in my spare time...

jln-brtn commented 6 days ago

Not yet, and honestly, I don't think that will be possible from my side before 2025. If you have time, your contribution will be appreciated !

Another option would be to do a PR on the documentation to mitigate this issue. I could do this one quite quickly.