Indirectly subscribed resources not queuing while reconfirming access

[jirenius]

Issue

When reaccess (Subscription.Reaccess()) is triggered, either through a token-, reaccess-, or system.reset event, any events for directly susbcribed resources will be queued until access has been reconfirmed. However, events for indirectly subscribed resources will not be queued, but passed to the client unhindered. These events should also be queued until the directly subscribed resource's access is confirmed.

[jirenius]

Has investigated this issue.

The security impact is minor as we are talking about queuing events that might anyway have reached the client depending on how the Resgate's goroutines are scheduled.

The time frame such a queue would be active is that of getting the access request returned, which will be in the area of milliseconds.

Moreover, the complexity that would be added to Resgate does not justify this fix. It would require:

• Traversing the recursive reference tree to find reference that are not covered by other direct subscriptions (similar to the unsubscribe "garbage collection")
• Handling changes (adds/removes/changes) to references while waiting for access callback
• Handling referenced resources currently loading added resources.

If new requirements surface, the behavior might be readdressed in a new issue.