Authorization graphql subscriptions with elixir and absinthe using cookies

I’m trying make authorization/authentication graphql subscriptions with elixir and absinthe using cookies and I used the follow link:

I’m trying authenticate the user for subscribe the right topic but I don’t have access to the cookies in the subscription connection. Why?

After I saw the follow link:

https://hexdocs.pm/absinthe_phoenix/Absinthe.Phoenix.Socket.html

And in my user_socket.ex I pass the user_id as query param, this works, but it’s not secure at all… I can pass the id that I want !!!

Can someone help me?

 @moduledoc false

 use Phoenix.Socket

 use Absinthe.Phoenix.Socket,
   schema: MyAppGraphQL.Schema

 ## Channels
 # channel "room:*", MyAppWeb.RoomChannel

 # Socket params are passed from the client and can
 # be used to verify and authenticate a user. After
 # verification, you can put default assigns into
 # the socket that will be set for all channels, ie
 #
 #     {:ok, assign(socket, :user_id, verified_user_id)}
 #
 # To deny connection, return `:error`.
 #
 # See `Phoenix.Token` documentation for examples in
 # performing token verification on connect.
 def connect(%{"user_id" => user_id}, socket) do
   case current_user(user_id) do
     nil ->
       :error

     current_user ->
       socket =
         Absinthe.Phoenix.Socket.put_options(socket,
           context: %{
             current_user: current_user
           }
         )

       {:ok, socket}
   end
 end

 def connect(_, _), do: :error

 defp current_user(user_id), do: MyApp.Accounts.lookup_user_with_company(user_id)

 # Socket id's are topics that allow you to identify all sockets for a given user:
 #
 #     def id(socket), do: "user_socket:#{socket.assigns.user_id}"
 #
 # Would allow you to broadcast a "disconnect" event and terminate
 # all active sockets and channels for a given user:
 #
 #     MyAppWeb.Endpoint.broadcast("user_socket:#{user.id}", "disconnect", %{})
 #
 # Returning `nil` makes this socket anonymous.
 def id(_socket), do: nil

end

WebSockets do not have cookies. All they have is parameters. You have to use a token by which you can get user id and user after that.
There is an example here https://hexdocs.pm/phoenix/Phoenix.Token.html how to use Phoenix.Token with sockets.

2 Likes

To understand everything, I follow the following topic: Accessing cookies in Phoenix.Socket connect