StreamSubscriptions triggering all events on auth token refresh
marcusrohden opened this issue · 5 comments
Hey guys,
I observed that when the service token changes (NHostClient addTokenChangedCallback is triggered), all my subscription streams attached to Hasura produce the same data again since the app started listening to them.
Is that the expected behaviour?
Would be a security breach to not refresh the token every minute but once every couple of hours as a way around? What's the drawback?
Any suggestions?
Currenly utilising nhost_sdk: ^3.0.4 and nhost_graphql_adapter: ^2.0.3
Thank you
Facing the same issue and thinking about ways to fix it... Currently it produces major problems. One solution could be to to work around streams and move from subscriptions to queries.. But thats a big pain..
Increasing the jwt token duration is a security no go for us. May be increased to 1,2,3 minutes, but not more and that won't help.
I am not expert enough to fully figure out if the sdk could be improved to prevent this - so if there is any help by the nhost team / SDK maintainer, that would be highly highly appreciated and also supported from our end where we can. Can't go live with the current solution..
Hi guys, any updates on this issue?
Thank you
Hi,
As of now, this is pretty much expected as the new token is issued, and the connection must be reestablished with a new token. However, I am working on a new release to provide a few solutions. Please stay tuned, I will let you know once it's ready. Meanwhile, you can try the latest dev version https://pub.dev/packages/nhost_sdk/versions#prerelease
Hi @mhadaily, do you have any updates regarding this issue?
Thank you
Hi,
The reconnection is expected as the token is refreshing. However, there was a bug that the token was refreshed every 30 seconds, whereas the actual time was 15 minutes. This bug is fixed in the latest version now nhost_sdk: ^4.0.0-dev.8
You can upgrade to this version; however, consider that you need to remove backendUrl and instead use subdomain and region.
@marcusrohden and @MaxSchilling let me know if that works ok now for you.