I am actually in the same boat right now
["/api/v1/graphql" :post
(-> (lp/default-interceptors (graphql/compiled-schema) {:system system})
(inject (interceptor/interceptor `auth/requires-auth-interceptor)
:after :com.walmartlabs.lacinia.pedestal2/inject-app-context)
(inject {:name ::graphql-context-user-injector
:enter (fn [ctx]
(assoc-in ctx
[:request :lacinia-app-context :user]
(:user (:request ctx))))}
:after :com.walmartlabs.lacinia.pedestal2/inject-app-context))
:route-name ::graphql]}
I have this as my normal graphql route
and I want to set up subscriptions with the same interceptors and context
(lp/enable-subscriptions (graphql/compiled-schema)
{:subscriptions-path "/api/v1/ws"})
but the docs on the matter point to listener-fn-factory
as where I should look for the options
but that function isn't in the same namespace, so its already somewhat confusing
but I at least see :app-context
for the static values
and I at least can infer that I need to mess with :subscription-interceptors
and default-subscription-interceptors
but all of this feels like it could be better documented, since I am primarily sleuthing through the code
and not reading the docs anymore
i'm unclear if default-subscription-interceptors can take the function that can be later called to make a schema or if I need to definitely pre-compile before running
and so on
I’m not clear if the default-subscription-interceptors
relate to the websocket itself (pedestal doesn’t actually give you interceptors for websockets, does it?)
And I’ve no idea what happens with authentication etc. Websockets suffer from cross-origin attacks (there’s no CORS policy for websockets) so I want to add some code there that does some checks before upgrading the connection — but it’s unclear where to plug in.
I’m still in the preliminary background research phase but my instincts say to do the integration on my own, starting with pedestal proper.
Probably little use, but I have a compojure example where I check the session/cookie to do the upgrade. https://github.com/gklijs/mv/blob/fe3cf2636317a2550c82f11b801cfed381d81637/src/clj/m_venue/websocket.clj#L51
Right, that suffers from websocket CSRF
@orestis LMK what you end up with
and I'll do the same when it gets working