Subscriptions Authorization
Learn how to authorize the subscription in GraphQL.
We'll cover the following
Interesting challenges in authorization
While we’re on the subject, subscriptions pose some interesting challenges with respect to authorization. For example, we run into some trouble with the new_order
field straight away because it uses a “*
” topic. Right now, every customer who subscribes is going to get pushed information about everyone else’s order. This might prove to be inconvenient.
Fixing this isn’t simply a matter of adding authorization middleware to the new_order
field. Middleware runs when the document is executed, but the document won’t be executed until an actual order is placed and published. In other words, we’d still be letting clients create the subscription, but instead of an order, they’ll be unauthorized
when an event happens. We want to scope new_order
so that, when a customer creates a subscription, we only route that customer’s orders to that subscription.
Let’s capture this problem in a test case:
Get hands-on with 1400+ tech skills courses.