5

我正在尝试使用 cookie 使用 elixir 和苦艾酒进行授权/身份验证 graphql 订阅,我使用了以下链接:

https://nts.strzibny.name/graphql-subscriptions-with-elixir-and-absinth/

我正在尝试对用户进行身份验证以订阅正确的主题,但我无权访问订阅连接中的 cookie。为什么?

在我看到以下链接后:

https://hexdocs.pm/absinthe_phoenix/Absinthe.Phoenix.Socket.html

在我的 user_socket.ex 中,我将 user_id 作为查询参数传递,这是可行的,但它根本不安全......我可以传递我想要的 id ??!!

有人能帮我吗?

 @moduledoc false

 use Phoenix.Socket

 use Absinthe.Phoenix.Socket,
   schema: MyAppGraphQL.Schema

 ## Channels
 # channel "room:*", MyAppWeb.RoomChannel

 # Socket params are passed from the client and can
 # be used to verify and authenticate a user. After
 # verification, you can put default assigns into
 # the socket that will be set for all channels, ie
 #
 #     {:ok, assign(socket, :user_id, verified_user_id)}
 #
 # To deny connection, return `:error`.
 #
 # See `Phoenix.Token` documentation for examples in
 # performing token verification on connect.
 def connect(%{"user_id" => user_id}, socket) do
   case current_user(user_id) do
     nil ->
       :error

     current_user ->
       socket =
         Absinthe.Phoenix.Socket.put_options(socket,
           context: %{
             current_user: current_user
           }
         )

       {:ok, socket}
   end
 end

 def connect(_, _), do: :error

 defp current_user(user_id), do: MyApp.Accounts.lookup_user_with_company(user_id)

 # Socket id's are topics that allow you to identify all sockets for a given user:
 #
 #     def id(socket), do: "user_socket:#{socket.assigns.user_id}"
 #
 # Would allow you to broadcast a "disconnect" event and terminate
 # all active sockets and channels for a given user:
 #
 #     MyAppWeb.Endpoint.broadcast("user_socket:#{user.id}", "disconnect", %{})
 #
 # Returning `nil` makes this socket anonymous.
 def id(_socket), do: nil
end```
4

0 回答 0