🐛 Bug Report: Realtime channel still receiving data after user session is deleted/logout

Question

🐛 Bug Report: Realtime channel still receiving data after user session is deleted/logout

mcchin opened this issue 2 years ago · comments

mcchin commented 2 years ago

👟 Reproduction steps

Config/Setup:

I am using Appwrite v:0.13.4.304, WebSDK 7.0.0, and node-appwrite 5.0.0
Database collection is setup as Document Level permission
Documents read permission are assigned appropriately like so, e.g. user:UserID
There is a collection with only couple of documents with read access for User A, but NOT User B

To reproduce:

Login as User A , e.g. sdk.account.createSession(User A email, User A password)
At a React page, using WebSDK to subscribe to a channel like so

  useEffect(() => {
    const unsubscribe = sdk.subscribe(`collections.COLLECTION_ID.documents`,
      res => {
        console.log('realtime response', res)
      }
    )

    return () => {
      unsubscribe()
    }
  }, [])

Update any of the documents on the said collection from Appwrite Console, and I can noticed data is received, and channel/subscription callback is executed
User A logout, unsubscribe() is fired, and then User A is logout like so sdk.account.deleteSession('current') / sdk.account.deleteSession(session_id)
NOTE: Don't refresh browser page or close the browser tab, if you have refreshed browser page or close the browser tab you can't reproduce the issue
Update any of the documents on the said collection from Appwrite Console, at the same browser tab where sdk.account.deleteSession is executed and I can noticed data is still being received As seen in image below where data still coming into Websocket , but channel/subscription callback is NOT executed

👍 Expected behavior

As described in reproduction steps above, I am expecting Websocket stop receiving data after session is removed after sdk.account.deleteSession('current') / sdk.account.deleteSession(session_id)

👎 Actual Behavior

After sdk.account.deleteSession('current') / sdk.account.deleteSession(session_id), Websocket still receiving data

🎲 Appwrite version

Different version (specify in environment)

💻 Operating system

Linux

🧱 Your Environment

Frontend using React 17.x, and WebSDK 7.0.0
Backend using Node 14.x and Appwrite Node client 5.0.0

👀 Have you spent some time to check if this issue has been raised before?

I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

I have read the Code of Conduct

mcchin · Answer 1 · Mon Apr 25 2022 17:31:07 GMT+0800 (China Standard Time)

This is a different unexpected behaviour but might share the same root cause with #24

Torsten Dittmann · Answer 2 · Mon Apr 25 2022 22:48:26 GMT+0800 (China Standard Time)

Yeah, that is actually expected behavior as of right now.

The realtime server is only aware of the session when the user connects. So once the user is connected and authenticated, the connection is assigned to a specific user - not session.

To prevent this, I can only think of re-establishing the connection after a session is /created/deleted.

This definitely require some more work and planning to fix.

mcchin · Answer 3 · Mon Apr 25 2022 23:08:19 GMT+0800 (China Standard Time)

@TorstenDittmann

Thanks for the feedback

To avoid non-authorized user receiving data from Websocket, currently I am thinking to refresh the page after user click logout. Do you have other recommendation?

mcchin · Answer 4 · Tue Apr 26 2022 18:59:46 GMT+0800 (China Standard Time)

I have also noticed if I have unsubscribed to a channel, although the callback is not fired but I will still be receiving data from Websocket

Torsten Dittmann · Answer 5 · Wed Apr 27 2022 16:25:07 GMT+0800 (China Standard Time)

I have also noticed if I have unsubscribed to a channel, although the callback is not fired but I will still be receiving data from Websocket

Can you provide me the list of channels where that happens?

mcchin · Answer 6 · Wed Apr 27 2022 16:37:52 GMT+0800 (China Standard Time)

I have also noticed if I have unsubscribed to a channel, although the callback is not fired but I will still be receiving data from Websocket

Can you provide me the list of channels where that happens?

collections.COLLECTION_ID.documents is what I am using currently
But looking at the current behaviour I suspect all channels will have the same issue where when you have unsubscribed a channel you will still be receiving data messages at Websocket level. As I have also noticed when you have unsubscribed a channel nothing is sent back to server side, so I am speculating server side don't know client side has unsubscribed a channel

Torsten Dittmann · Answer 7 · Wed Apr 27 2022 16:45:51 GMT+0800 (China Standard Time)

I have also noticed if I have unsubscribed to a channel, although the callback is not fired but I will still be receiving data from Websocket

Can you provide me the list of channels where that happens?

collections.COLLECTION_ID.documents is what I am using currently But looking at the current behaviour I suspect all channels will have the same issue where when you have unsubscribed a channel you will still be receiving data messages at Websocket level. As I have also noticed when you have unsubscribed a channel nothing is sent back to server side, so I am speculating server side don't know client side has unsubscribed a channel

The logic should be, to only reconnect and therefore tell the Realtime Server the new list of channels, when you unsubscribe from a channel when there is no subscription attached to it anymore.

I'll check on my side what's happening 🙂