Skip to content

add optional authorize callback and update dependencies #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bourgeoa wants to merge 3 commits into
base: main
Choose a base branch
from
Open

add optional authorize callback and update dependencies #30

bourgeoa wants to merge 3 commits into from
+1,432 −854

Conversation

@bourgeoa
Copy link
Member

@bourgeoa bourgeoa commented Jan 12, 2026

Add Authorization Callback Support for WebSocket Subscriptions

Summary

Added optional authorize callback to enable server-side authorization checks before allowing WebSocket subscriptions. This allows applications to enforce access control policies on subscription requests.

Motivation

The WebSocket server previously accepted all subscription requests without authorization checks. Applications like Solid servers need to enforce ACL permissions before allowing clients to subscribe to resource updates.

Changes

Modified lib/server.js:

  • Added authorize option to constructor (line 18)
  • Integrated authorization check in message handler (lines 54-68)
  • Calls authorize(iri, req, callback) before subscription
  • Returns err <uri> forbidden when authorization denies access
  • Returns ack <uri> when authorization allows subscription
  • Backward compatible - if no authorize callback provided, subscriptions proceed as before

Usage

const SolidWs = require('solid-ws')

const pubsub = new SolidWs(server, {
  authorize: function(iri, req, callback) {
    // Custom authorization logic
    const allowed = checkPermissions(iri, req)
    callback(null, allowed)
  }
})

The authorize callback receives:

  • iri - Resource URI being subscribed to
  • req - HTTP upgrade request object
  • callback(err, allowed) - Call with (null, true) to allow, (null, false) or (error) to deny

Tests

Added 3 authorization callback tests in test/websockets.js:

  • should receive ack when authorization allows subscription
  • should receive err when authorization denies subscription
  • should receive err when authorization callback returns error

Test Results: 8 passing (82ms) - All existing tests remain passing

Compatibility

  • Fully backward compatible - authorization is optional
  • ✅ Existing code without authorize option works unchanged
  • ✅ No breaking changes to API
  • ✅ No new dependencies

Security

  • Authorization checks occur before subscription is established
  • Invalid subscriptions receive err <uri> forbidden message
  • Authorization errors handled gracefully
  • Request object available for authentication/authorization context

@bourgeoa bourgeoa self-assigned this Jan 12, 2026
@bourgeoa bourgeoa requested a review from CxRes January 12, 2026 11:25
@bourgeoa bourgeoa linked an issue Jan 12, 2026 that may be closed by this pull request
Add authorization callback for subscription requests #28
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@CxRes CxRes Awaiting requested review from CxRes

Assignees

@bourgeoa bourgeoa

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add authorization callback for subscription requests

2 participants

@bourgeoa