nhost / nhost-dart

Nhost Dart & Flutter packages
https://nhost.io
MIT License
91 stars 33 forks source link

StreamSubscriptions triggering all events on auth token refresh #88

Open marcusrohden opened 2 years ago

marcusrohden commented 2 years ago

Hey guys,

I observed that when the service token changes (NHostClient addTokenChangedCallback is triggered), all my subscription streams attached to Hasura produce the same data again since the app started listening to them.

Is that the expected behaviour?

Would be a security breach to not refresh the token every minute but once every couple of hours as a way around? What's the drawback?

Any suggestions?

Currenly utilising nhost_sdk: ^3.0.4 and nhost_graphql_adapter: ^2.0.3

Thank you

MaxSchilling commented 2 years ago

Facing the same issue and thinking about ways to fix it... Currently it produces major problems. One solution could be to to work around streams and move from subscriptions to queries.. But thats a big pain.. Increasing the jwt token duration is a security no go for us. May be increased to 1,2,3 minutes, but not more and that won't help.

I am not expert enough to fully figure out if the sdk could be improved to prevent this - so if there is any help by the nhost team / SDK maintainer, that would be highly highly appreciated and also supported from our end where we can. Can't go live with the current solution..

marcusrohden commented 1 year ago

Hi guys, any updates on this issue?

Thank you

mhadaily commented 1 year ago

Hi,

As of now, this is pretty much expected as the new token is issued, and the connection must be reestablished with a new token. However, I am working on a new release to provide a few solutions. Please stay tuned, I will let you know once it's ready. Meanwhile, you can try the latest dev version https://pub.dev/packages/nhost_sdk/versions#prerelease

marcusrohden commented 1 year ago

Hi @mhadaily, do you have any updates regarding this issue?

Thank you

mhadaily commented 1 year ago

Hi, The reconnection is expected as the token is refreshing. However, there was a bug that the token was refreshed every 30 seconds, whereas the actual time was 15 minutes. This bug is fixed in the latest version now nhost_sdk: ^4.0.0-dev.8

You can upgrade to this version; however, consider that you need to remove backendUrl and instead use subdomain and region.

@marcusrohden and @MaxSchilling let me know if that works ok now for you.