graphql

Daniel Stephens 2020-11-13T00:24:39.091600Z

@emccue Got a chance to start a project, this prints the correct stuff out for me https://gist.github.com/DanielStephens/c3cf076e574afd30fcf48cc9b8bd554e

emccue 2020-11-13T00:30:50.092Z

okay giving it a shot now

emccue 2020-11-13T00:32:19.092200Z

emccue 2020-11-13T00:32:25.092600Z

hey! that did manage to do something

emccue 2020-11-13T00:32:46.093100Z

okay so now I am slightly confused as to what exactly the interceptors are handling if not an http request

emccue 2020-11-13T00:32:54.093500Z

but i can work with it now

emccue 2020-11-13T00:38:37.094Z

so what are connection params?

Daniel Stephens 2020-11-13T10:28:45.102900Z

This probably has some inaccuracies but my understanding is, a WebSocket is a protocol that uses multiple http requests, there's one at the start which asks to initialise the connection, the payload passed along with this is what ends up as connection-params as far as I can tell, lacinia.pedestal (by default) just acknowledges this init request as long as it's readable and has the correct upgrade protocol. This seems potentially insecure but you can swap these pieces out with some work I believe. Once that acknowledgement/upgrade cycle has finished, another http request will be made which contains the graphql subscription body that you want to actually listen to. Technically you can send headers on each of those requests but from what I can see it's tricky with the Apollo SubscriptionClient which lacinia uses for GraphiQL. So I think connectionParams are part of the body of the ServletUpgradeRequest, which you managed to get ahold of earlier.

Daniel Stephens 2020-11-13T10:33:49.104500Z

The subscription interceptors handle the bit after the initial connection which contains a graphql subscription body https://github.com/walmartlabs/lacinia-pedestal/blob/master/src/com/walmartlabs/lacinia/pedestal/subscriptions.clj#L151

gklijs 2020-11-13T16:28:20.105Z

Once the connection is established it's going over tcp, but not as http, https://tools.ietf.org/html/rfc6455. So if you want to do something with headers and such you need to do this on the initial call. But there is no standard way to do authentication for this. You could also do a query to fetch some token or something. I don't think that's insecure, as in it's just open for anyone to make a request. Just as query/mutation by default is open over https.

Daniel Stephens 2020-11-13T16:58:19.105400Z

thanks for the clarifications 👍