sdk-for-web icon indicating copy to clipboard operation
sdk-for-web copied to clipboard

Published 20 hours ago โ€ข verified publisher icon appwrite

๐Ÿ› Bug Report: Realtime channel still receiving data after user session is deleted/logout

Open mcchin opened this issue 3 years ago โ€ข 8 comments

๐Ÿ‘Ÿ Reproduction steps

Config/Setup:

  • I am using Appwrite v:0.13.4.304, WebSDK 7.0.0, and node-appwrite 5.0.0
  • Database collection is setup as Document Level permission
  • Documents read permission are assigned appropriately like so, e.g. user:UserID
  • There is a collection with only couple of documents with read access for User A, but NOT User B

To reproduce:

  1. Login as User A , e.g. sdk.account.createSession(User A email, User A password)

  2. At a React page, using WebSDK to subscribe to a channel like so

  useEffect(() => {
    const unsubscribe = sdk.subscribe(`collections.COLLECTION_ID.documents`,
      res => {
        console.log('realtime response', res)
      }
    )

    return () => {
      unsubscribe()
    }
  }, [])

  1. Update any of the documents on the said collection from Appwrite Console, and I can noticed data is received, and channel/subscription callback is executed

  2. User A logout, unsubscribe() is fired, and then User A is logout like so sdk.account.deleteSession('current') / sdk.account.deleteSession(session_id) NOTE: Don't refresh browser page or close the browser tab, if you have refreshed browser page or close the browser tab you can't reproduce the issue

  3. Update any of the documents on the said collection from Appwrite Console, at the same browser tab where sdk.account.deleteSession is executed and I can noticed data is still being received As seen in image below where data still coming into Websocket , but channel/subscription callback is NOT executed

image

๐Ÿ‘ Expected behavior

As described in reproduction steps above, I am expecting Websocket stop receiving data after session is removed after sdk.account.deleteSession('current') / sdk.account.deleteSession(session_id)

๐Ÿ‘Ž Actual Behavior

After sdk.account.deleteSession('current') / sdk.account.deleteSession(session_id), Websocket still receiving data

image

๐ŸŽฒ Appwrite version

Different version (specify in environment)

๐Ÿ’ป Operating system

Linux

๐Ÿงฑ Your Environment

  • Frontend using React 17.x, and WebSDK 7.0.0
  • Backend using Node 14.x and Appwrite Node client 5.0.0

๐Ÿ‘€ Have you spent some time to check if this issue has been raised before?

  • [X] I checked and didn't find similar issue

๐Ÿข Have you read the Code of Conduct?

mcchin avatar Apr 25 '22 09:04 mcchin

This is a different unexpected behaviour but might share the same root cause with https://github.com/appwrite/sdk-for-web/issues/24

mcchin avatar Apr 25 '22 09:04 mcchin

Yeah, that is actually expected behavior as of right now.

The realtime server is only aware of the session when the user connects. So once the user is connected and authenticated, the connection is assigned to a specific user - not session.

To prevent this, I can only think of re-establishing the connection after a session is /created/deleted.

This definitely require some more work and planning to fix.

TorstenDittmann avatar Apr 25 '22 14:04 TorstenDittmann

@TorstenDittmann

Thanks for the feedback

To avoid non-authorized user receiving data from Websocket, currently I am thinking to refresh the page after user click logout. Do you have other recommendation?

mcchin avatar Apr 25 '22 15:04 mcchin

I have also noticed if I have unsubscribed to a channel, although the callback is not fired but I will still be receiving data from Websocket

mcchin avatar Apr 26 '22 10:04 mcchin

I have also noticed if I have unsubscribed to a channel, although the callback is not fired but I will still be receiving data from Websocket

Can you provide me the list of channels where that happens?

TorstenDittmann avatar Apr 27 '22 08:04 TorstenDittmann

I have also noticed if I have unsubscribed to a channel, although the callback is not fired but I will still be receiving data from Websocket

Can you provide me the list of channels where that happens?

collections.COLLECTION_ID.documents is what I am using currently But looking at the current behaviour I suspect all channels will have the same issue where when you have unsubscribed a channel you will still be receiving data messages at Websocket level. As I have also noticed when you have unsubscribed a channel nothing is sent back to server side, so I am speculating server side don't know client side has unsubscribed a channel

mcchin avatar Apr 27 '22 08:04 mcchin

I have also noticed if I have unsubscribed to a channel, although the callback is not fired but I will still be receiving data from Websocket

Can you provide me the list of channels where that happens?

collections.COLLECTION_ID.documents is what I am using currently But looking at the current behaviour I suspect all channels will have the same issue where when you have unsubscribed a channel you will still be receiving data messages at Websocket level. As I have also noticed when you have unsubscribed a channel nothing is sent back to server side, so I am speculating server side don't know client side has unsubscribed a channel

The logic should be, to only reconnect and therefore tell the Realtime Server the new list of channels, when you unsubscribe from a channel when there is no subscription attached to it anymore.

I'll check on my side what's happening ๐Ÿ™‚

TorstenDittmann avatar Apr 27 '22 08:04 TorstenDittmann

@TorstenDittmann I think this has been fixed by https://github.com/appwrite/sdk-for-web/pull/93

xuelink avatar Apr 27 '24 08:04 xuelink