search

realm / realm-graphql-service

GraphQL service for Realm Object Server
https://realm.io
Apache License 2.0
43 stars 10 forks source link

Authentication requires something after the user identity in partial realms #81

Closed programaths closed 5 years ago

programaths commented 5 years ago

Issue description

When we authenticate a token on a given path, the server do user identity check by comparing the token user id with the user id contained in the partial realm path.

The check expect the path to end with a "/" . (/*)

That means that one has to add a "/" and something after as the ROS do not allow paths terminating with "/" for authentication.

path is invalid. It should start with a slash, consist of Latin letters (A-Z, a-z), digits (0-9), dot (.), dash (-), and underscore (_). All components should be non-empty and not start with a dot. The path should not end with .realm, .realm.lock or .realm.management

Test ? Code ? Step to reproduce ?

See code here: https://gist.github.com/programaths/a1de2e794a0be9a1010eb32eb7d8857a

Remove "ok" where it is commented so: it should fails.

Possible solution

Do not enfore path ending with "/" to allow authenticating said path.

PR to follow

System info

Version: 3.4.0 Os (uname -a) : Linux b50dc1da542b 4.15.0-39-generic #42-Ubuntu SMP Tue Oct 23 15:48:01 UTC 2018 x86_64 GNU/Linux Node version: v10.11.0

nirinchev commented 5 years ago

This is by design, the convention we have for query based Realm paths is /reference-realm/__partial/user-id/some-hash where some-hash is generally an id that's unique for the device. This allows the same user to have different partial views of the reference Realm on different devices. Of course, you can hardcode a hash value and then you'll only have a single Realm per user. Is there a particular reason you want to avoid having the hash at the end of the url?

programaths commented 5 years ago

Oh! I didn't saw it documented.

Our use case is peculiar: we have added a code so the web subscribe automatically when a GraphQL query is received. It was too tedious to have the web client subscribe for every query on partial realms.

By making the change, the web client can connect without having to subscribe and can transparently query Full & Partial realms (of course, using the right paths).

In the end, this is a useful feature and should be documented here too.

nirinchev commented 5 years ago

I'm not sure I fully understand the use case, sorry. Why would it matter for your web app if you have some random hash after the user id or not?

programaths commented 5 years ago

(From mobile) We automatically subscribe to all the objects in a queried Realm and use the fact that subscriptions with the same name are done only once.

If we used a random hash, there would be many subscription.

So, in our use case, we do not need to have a hash. Also, putting a fixed hash would be an odd leg. Being able to not put a hash is more intuitive and raise less questions.

In details:

The subscription name is currently set to "realm-path" + "class" + "user-id".

Is this clearer ?

nirinchev commented 5 years ago

I understand. I'm not entirely sure this is a supported scenario at the moment though. I believe some components rely on the template I showed (i.e. having a segment after the user-id segment). I can do some tests and verify if that will work, but my recommendation would be to just hardcode some hash in your web app - for example, in the reference implementation of a GraphQL client, we use graphql-client for all consumers of the client, you could just do user-id/my-web-app.

nirinchev commented 5 years ago

Closing this as there is a workaround that doesn't involve redesigning our other components.