search

hasura / graphql-engine

Blazing fast, instant realtime GraphQL APIs on your DB with fine grained access control, also trigger webhooks on database events.
https://hasura.io
Apache License 2.0
31.13k stars 2.76k forks source link

Feature request: method to forcefully disconnect a websocket #3602

Open Jamesits opened 4 years ago

Jamesits commented 4 years ago

In current version of hasura, when the user token (whatever you pass to the auth hook) is revoked (e.g. user logged out remotely or user credential changed), any websocket already connected to hasura will still work and their access will not be revoked. I'd like to request a method to disconnect one or all the websockets from a certain user ID, so when the user automatically reconnect, their token will be re-verified by the auth hook.

0x777 commented 4 years ago

Currently we enforce the expiry of authorization information in JWT mode (the connection gets closed after the expiration time as specified in the JWT). This is lacking in the webhook mode, maybe the webhook can specify the expiry time of the session with Expires header?

I'd like to request a method to disconnect one or all the websockets from a certain user ID, so when the user automatically reconnect, their token will be re-verified by the auth hook.

This I feel should be added as a part of a larger 'subscription management' APIs for an admin user.

tirumaraiselvan commented 4 years ago

FYI, webhook mode respects Expires and Cache-Control values via https://github.com/hasura/graphql-engine/commit/5b54f9d76629383da854cc16fb9667ea36b96218

Read more here: https://hasura.io/docs/1.0/graphql/manual/auth/authentication/webhook.html#response

vincentjames501 commented 2 years ago

This I feel should be added as a part of a larger 'subscription management' APIs for an admin user.

Any thoughts on adding something like this? We have a use case where when an admin revokes a user's access we need to terminate any subscriptions/websockets they may have w/o having to wait for the Expires condition to become true.

gustavotrott commented 1 year ago

This I feel should be added as a part of a larger 'subscription management' APIs for an admin user.

Any thoughts on adding something like this? We have a use case where when an admin revokes a user's access we need to terminate any subscriptions/websockets they may have w/o having to wait for the Expires condition to become true.

Same case here!