Subscription Authorization error because of not waiting for connection_ack after connection_init

[thomas-ferchau]

Describe the issue

We see authotization errors for almost every Subscription that is started by GraphQL-Flutter on our server (GraphQL-Java).

1. The connection_init message contains an Authorization header (added via initialPayload). On the server, the auth token is added to the Websocket session for later access.
2. The start message is received immediately after connection_init. While processing the start message, the server requires the auth token from the Websocket session to identify the user.
3. Both messages are processed in separate Threads. The Thread processing connection_init often has not finished adding the auth token to the Websocket session when the start thread requires it. So the subscription fails because no auth token is available.

Expected behavior

After sending connection_init the GraphQL client must wait for connection_ack (or maybe connection_error) before sending start.

This is also described in the GraphQL over WebSocket Protocol.

To Reproduce

If this is really required, I could provide a Java server and a Dart client showing the issue.

device / execution context

We have seen this problem with a GraphQL-Flutter v5.0.0 client on Android and a GraphQL server implemented in Java, but it probably occurs everywhere.

additional notes

It seems that the ApolloGraphQL project has/had the same issue: https://github.com/apollographql/subscriptions-transport-ws/issues/339 https://github.com/apollographql/subscriptions-transport-ws/pull/767

[thomas-ferchau]

A similar issue is described in #916 when reconnecting. But we see this problem on the initial connection as well.