Closed viters closed 9 months ago
This is one of the reasons why v5 has introduced external resolvers. They make sure that external requests always receive the safe data without having to check for a provider while internal calls (like the authenticate hook) receive the full data.
Due to how socketio and rest authentication are built, and how
authenticate
hook works, in case you are mutating user result for requests that have provider, you will have different results incontext.params.user
for socketio and for rest.Let's consider you have
user.secretAdministrativeNote
field, which you are able to access internally (whenprovider == null
), but it will not be visible for external providers.authentication/create
is called for both rest and socketio, both will receiveparams.provider
(rest
andsocketio
respectively). This will eventually reachJWTStrategy.authenticate
andJWTStrategy.getEntity
.getEntity
behaves differently if theprovider
is set or not. Forauthenticate/create
case,provider
is set, therefore we will receiveuser
entity in a way that user is able to see that, withoutsecretAdministrativeNote
. This is expected, as we are returning that entity afterauthenticate/create
is finished back to user. Although, here lies the trap: for socketio connections,authenticate/create
sets the authentication result on connection, via@feathersjs/authentication/src/jwt.ts:64
. Therefore,authenticate/create
result is set on connection forever, gettingcontext.params.user.secretAdministrativeNote
will yieldnull
on socketio transport in all hooks afterwards.Meanwhile,
rest
transport works differently,authentication/create
will result in a token and user entity, user should not seesecretAdministrativeNote
on response - that is achieved successfully. Subsequent requests withauthenticate
hook, will be going throughJWTStrategy.authenticate
, but withoutprovider
(see@feathersjs/authentication/src/hooks/authenticate.ts:52
). Therefore,user
that should be set on params will be gathered with "administrative" privileges (@feathersjs/authentication/src/jwt.ts:121
). Therefore, gettingcontext.params.user.secretAdministrativeNote
will yield actual value on rest transport in all hooks afterwards.This will of course apply to any other modifications on user done on
authenticate/create
.I do not have minimal example yet, this are my findings after reading the code for authentication and socketio transport, and debugging similar case today. I think it might be a result of tight coupling between setting
context.params.user
andauthentication/create
result.