graphql-engine/docs/graphql/manual/subscriptions/index.rst

Subscriptions
=============

.. contents:: Table of contents
  :backlinks: none
  :depth: 1
  :local:

A GraphQL subscription is essentially a query where the client receives an event whenever the value of any field changes
upstream. The Hasura GraphQL engine supports subscriptions for all kinds of queries. All the concepts of
:doc:`queries <../queries/index>` hold true for subscriptions as well.

Convert a query to a subscription
---------------------------------

You can turn any query into a subscription by simply replacing ``query`` with ``subscription`` as the operation type.

.. admonition:: Caveat

  Hasura follows the `GraphQL spec <https://graphql.github.io/graphql-spec/June2018/#sec-Single-root-field>`_ which
  allows for only one root field in a subscription.

Use cases
---------

- :ref:`subscribe_field`
- :ref:`subscribe_table`
- :ref:`subscribe_derived`

Communication protocol
----------------------

Hasura GraphQL engine uses the `GraphQL over WebSocket Protocol
<https://github.com/apollographql/subscriptions-transport-ws/blob/master/PROTOCOL.md>`_ by the
`apollographql/subscriptions-transport-ws <https://github.com/apollographql/subscriptions-transport-ws>`_ library
for sending and receiving events.

.. admonition:: Setting headers for subscriptions with Apollo client

  If you are using Apollo Client, headers can be passed to a subscription by setting ``connectionParams`` while
  `creating the wsLink <https://www.apollographql.com/docs/react/data/subscriptions/#client-setup>`_:

  .. code-block:: js
    :emphasize-lines: 6-8

    // Create a WebSocket link:
    const wsLink = new WebSocketLink({
      uri: `<graphql-endpoint>`,
      options: {
        reconnect: true,
        connectionParams: {
          headers: {headers-object}
        }
      }
    });

  See `this <https://www.apollographql.com/docs/react/data/subscriptions/#authentication-over-websocket>`_ for more info on
  using ``connectionParams``.


Cookies and WebSockets
----------------------
The Hasura GraphQL engine will read cookies sent by the browser when initiating a
WebSocket connection. The browser will send the cookie only if it is a secure cookie
(``secure`` flag in the cookie) and if the cookie has a ``HttpOnly`` flag.

Hasura will read this cookie and use it as headers when resolving authorization
(i.e. when resolving the auth webhook).

Cookies, WebSockets and CORS
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
As browsers don't enforce Same Origin Policy (SOP) for websockets, the Hasura server
enforces the CORS rules when accepting the websocket connection.

It uses the provided CORS configuration (as per :ref:`configure-cors`).

1. When it is ``*``, the cookie is read and the CORS check is not enforced.

2. When there are explicit domains, the cookie will only be read if the request originates from one of
   the listed domains.

3. If CORS is disabled, the default behaviour is that the cookie won't be read
   (because of potential security issues). To override the behaviour, you can
   use the flag ``--ws-read-cookie`` or the environment variable
   ``HASURA_GRAPHQL_WS_READ_COOKIE``. See
   :doc:`../deployment/graphql-engine-flags/reference` for the setting.

.. toctree::
  :maxdepth: 1
  :hidden:

  Sample use cases <use-cases>
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00			`Subscriptions`
			`=============`

add table of contents to docs pages (#1115) 2018-12-03 15:12:24 +03:00			`.. contents:: Table of contents`
			`:backlinks: none`
			`:depth: 1`
			`:local:`

merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00			`A GraphQL subscription is essentially a query where the client receives an event whenever the value of any field changes`
fix typos in documentation (#2562) 2019-09-11 10:17:14 +03:00			`upstream. The Hasura GraphQL engine supports subscriptions for all kinds of queries. All the concepts of`
			:doc:`queries <../queries/index>` hold true for subscriptions as well.
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
add table of contents to docs pages (#1115) 2018-12-03 15:12:24 +03:00			`Convert a query to a subscription`
			`---------------------------------`

merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00			You can turn any query into a subscription by simply replacing ``query`` with ``subscription`` as the operation type.

			`.. admonition:: Caveat`

update broken links in docs (#3055) * Removed text about source code Source code was removed by hasura/graphql-engine@fb3794c3 * links update for subscriptions/index links updated because 1) facebook.github.io was changed to graphql.github.io/graphql-spec/ 2) path to docs changed by apollographql/apollo-client@41ca8ff1 2019-10-10 18:58:24 +03:00			Hasura follows the `GraphQL spec <https://graphql.github.io/graphql-spec/June2018/#sec-Single-root-field>`_ which
docs: multiple root fields in subscription was removed (#1264) In alpha33 the support for multiple root fields in a subscription was removed. 2018-12-24 10:01:17 +03:00			`allows for only one root field in a subscription.`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
add table of contents to docs pages (#1115) 2018-12-03 15:12:24 +03:00			`Use cases`
			`---------`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
			- :ref:`subscribe_field`
			- :ref:`subscribe_table`
			- :ref:`subscribe_derived`

add table of contents to docs pages (#1115) 2018-12-03 15:12:24 +03:00			`Communication protocol`
			`----------------------`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
update docs (#1696) 2019-03-06 11:58:04 +03:00			Hasura GraphQL engine uses the `GraphQL over WebSocket Protocol
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00			<https://github.com/apollographql/subscriptions-transport-ws/blob/master/PROTOCOL.md>`_ by the
			`apollographql/subscriptions-transport-ws <https://github.com/apollographql/subscriptions-transport-ws>`_ library
			`for sending and receiving events.`

update docs (#1696) 2019-03-06 11:58:04 +03:00			`.. admonition:: Setting headers for subscriptions with Apollo client`

update docs (#2023) * add missing column error to troubleshooting * update subscription headers section * docs for using {} expression * fix create foreign-key section 2019-04-17 16:37:42 +03:00			If you are using Apollo Client, headers can be passed to a subscription by setting ``connectionParams`` while
update broken links in docs (#3055) * Removed text about source code Source code was removed by hasura/graphql-engine@fb3794c3 * links update for subscriptions/index links updated because 1) facebook.github.io was changed to graphql.github.io/graphql-spec/ 2) path to docs changed by apollographql/apollo-client@41ca8ff1 2019-10-10 18:58:24 +03:00			`creating the wsLink <https://www.apollographql.com/docs/react/data/subscriptions/#client-setup>`_:
update docs (#1696) 2019-03-06 11:58:04 +03:00
			`.. code-block:: js`
update docs (#2023) * add missing column error to troubleshooting * update subscription headers section * docs for using {} expression * fix create foreign-key section 2019-04-17 16:37:42 +03:00			`:emphasize-lines: 6-8`
update docs (#1696) 2019-03-06 11:58:04 +03:00
update docs (#2023) * add missing column error to troubleshooting * update subscription headers section * docs for using {} expression * fix create foreign-key section 2019-04-17 16:37:42 +03:00			`// Create a WebSocket link:`
			`const wsLink = new WebSocketLink({`
			uri: `<graphql-endpoint>`,
			`options: {`
			`reconnect: true,`
			`connectionParams: {`
			`headers: {headers-object}`
			`}`
update docs (#1696) 2019-03-06 11:58:04 +03:00			`}`
update docs (#2023) * add missing column error to troubleshooting * update subscription headers section * docs for using {} expression * fix create foreign-key section 2019-04-17 16:37:42 +03:00			`});`

update broken links in docs (#3055) * Removed text about source code Source code was removed by hasura/graphql-engine@fb3794c3 * links update for subscriptions/index links updated because 1) facebook.github.io was changed to graphql.github.io/graphql-spec/ 2) path to docs changed by apollographql/apollo-client@41ca8ff1 2019-10-10 18:58:24 +03:00			See `this <https://www.apollographql.com/docs/react/data/subscriptions/#authentication-over-websocket>`_ for more info on
update docs (#2023) * add missing column error to troubleshooting * update subscription headers section * docs for using {} expression * fix create foreign-key section 2019-04-17 16:37:42 +03:00			using ``connectionParams``.

update docs (#1696) 2019-03-06 11:58:04 +03:00
			`Cookies and WebSockets`
			`----------------------`
fix typos in documentation (#2562) 2019-09-11 10:17:14 +03:00			`The Hasura GraphQL engine will read cookies sent by the browser when initiating a`
			`WebSocket connection. The browser will send the cookie only if it is a secure cookie`
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook 2019-03-04 10:46:53 +03:00			(``secure`` flag in the cookie) and if the cookie has a ``HttpOnly`` flag.

			`Hasura will read this cookie and use it as headers when resolving authorization`
			`(i.e. when resolving the auth webhook).`

update docs (#1696) 2019-03-06 11:58:04 +03:00			`Cookies, WebSockets and CORS`
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook 2019-03-04 10:46:53 +03:00			`^^^^^^^^^^^^^^^^^^^^^^^^^^^^`
fix typos in documentation (#2562) 2019-09-11 10:17:14 +03:00			`As browsers don't enforce Same Origin Policy (SOP) for websockets, the Hasura server`
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook 2019-03-04 10:46:53 +03:00			`enforces the CORS rules when accepting the websocket connection.`

			It uses the provided CORS configuration (as per :ref:`configure-cors`).

fix typos in documentation (#2562) 2019-09-11 10:17:14 +03:00			1. When it is ``*``, the cookie is read and the CORS check is not enforced.
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook 2019-03-04 10:46:53 +03:00
fix typos in documentation (#2562) 2019-09-11 10:17:14 +03:00			`2. When there are explicit domains, the cookie will only be read if the request originates from one of`
			`the listed domains.`
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook 2019-03-04 10:46:53 +03:00
fix typos in documentation (#2562) 2019-09-11 10:17:14 +03:00			`3. If CORS is disabled, the default behaviour is that the cookie won't be read`
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook 2019-03-04 10:46:53 +03:00			`(because of potential security issues). To override the behaviour, you can`
fix typos in documentation (#2562) 2019-09-11 10:17:14 +03:00			use the flag ``--ws-read-cookie`` or the environment variable
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook 2019-03-04 10:46:53 +03:00			``HASURA_GRAPHQL_WS_READ_COOKIE``. See
			:doc:`../deployment/graphql-engine-flags/reference` for the setting.

merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00			`.. toctree::`
			`:maxdepth: 1`
			`:hidden:`

docs: multiple root fields in subscription was removed (#1264) In alpha33 the support for multiple root fields in a subscription was removed. 2018-12-24 10:01:17 +03:00			`Sample use cases <use-cases>`