Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

JWT Authentication + Subscriptions doesn't appear to work

See original GitHub issue

As far as I can tell, JWT authentication does not work with websocket subscriptions on the web.

In my app, normal http graphql with JWT works fine, but subscription connections fail with the message

cannot start as connection_init failed with : Missing Authorization header in JWT authentication mode

From my naive reading of the code, and looking at #503, hasura looks for the Authorization header to be set, as with a “normal” request. Unfortunately, as far as my digging has taken me, the JS WebSocket API does not permit setting any headers (https://stackoverflow.com/questions/4361173/http-headers-in-websockets-client-api, https://developer.mozilla.org/en-US/docs/Web/API/WebSocket/WebSocket)

The way Apollo works (and https://github.com/apollographql/subscriptions-transport-ws) is to send the headers (connection params) in init, but the JWT auth in hasura doesn’t look there for the token based on my very limited understanding of the hasura internals.

Issue Analytics

State:
Created 5 years ago
Comments:11 (3 by maintainers)

Top GitHub Comments

38reactions

coco98commented, Nov 7, 2018

@mwaldstein We really need to document this better. Apollo client works perfectly with Hasura, if you set your headers as apollo intends them to be passed for subscriptions:

Create a wsLink:

const wsLink = new WebSocketLink(
  new SubscriptionClient(WS_URL, {
    reconnect: true,
    timeout: 30000,
    connectionParams: {
      headers: {
        Authorization: "Bearer xxxxx"
      }
    }
  })
);

Now use wsLink with apollo client: https://blog.hasura.io/moving-from-apollo-boost-to-graphql-subscriptions-with-apollo-client-cc0373e0adb0

Please do let me know if you get stuck anywhere! @rikinsk Let’s add this to the docs asap.

2reactions

mwaldsteincommented, Nov 7, 2018

Ah! The nesting of headers under connectionParams… I see!

I was led astray by https://github.com/Akryum/vue-cli-plugin-apollo/blob/master/graphql-client/src/index.js#L104 which doesn’t nest the headers in connectionParams…

Initial test suggests this fixed it - thanks! (sidebar - the discord invite appears broken…)

Top Results From Across the Web

Troubleshooting JWT validation - Google Cloud

Ensure that the following claims are present in the JWT payload: "sub" (subject), "iss" (issuer), and "aud" (audience). The following is an example...

JWT authentication: Best practices and when to use it

Learn how to best use JWT to trust requests by using signatures, exchanging information between parties, and preventing basic security ...

apollo client , adding subscriptions while not breaking http link ...

I currently have a graphql api that handles HTTP requests, I've migrated to apollo-client and now I want to add subscriptions.

Subscriptions in Apollo Server - Apollo GraphQL Docs

Enabling subscriptions. Subscriptions are not supported by Apollo Server 4's startStandaloneServer function. To enable subscriptions, you must first swap to ...

Authentication using JWT | Hasura GraphQL Docs

You can configure the GraphQL engine to use JWT authorization mode to ... JWT authentication is enforced when the X-Hasura-Admin-Secret header is not...