From 1b8b356432e753ba0919f63bd7629f1c5adabd97 Mon Sep 17 00:00:00 2001
From: Ulf Gebhardt <ulf.gebhardt@webcraft-media.de>
Date: Thu, 20 Jul 2023 13:41:59 +0200
Subject: [PATCH 1/3] notification subscription

---
 backend/src/schema/resolvers/notifications.ts           | 4 ++--
 backend/src/schema/types/type/NOTIFIED.gql              | 2 +-
 webapp/components/NotificationMenu/NotificationMenu.vue | 5 -----
 webapp/graphql/User.js                                  | 4 ++--
 4 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/backend/src/schema/resolvers/notifications.ts b/backend/src/schema/resolvers/notifications.ts
index e427de227..6a3e232cc 100644
--- a/backend/src/schema/resolvers/notifications.ts
+++ b/backend/src/schema/resolvers/notifications.ts
@@ -7,8 +7,8 @@ export default {
     notificationAdded: {
       subscribe: withFilter(
         () => pubsub.asyncIterator(NOTIFICATION_ADDED),
-        (payload, variables) => {
-          return payload.notificationAdded.to.id === variables.userId
+        (payload, variables, context) => {
+          return payload.notificationAdded.to.id === context.user?.id
         },
       ),
     },
diff --git a/backend/src/schema/types/type/NOTIFIED.gql b/backend/src/schema/types/type/NOTIFIED.gql
index 62a1f3696..1f825decc 100644
--- a/backend/src/schema/types/type/NOTIFIED.gql
+++ b/backend/src/schema/types/type/NOTIFIED.gql
@@ -38,5 +38,5 @@ type Mutation {
 }
 
 type Subscription {
-  notificationAdded(userId: ID!): NOTIFIED
+  notificationAdded: NOTIFIED
 }
diff --git a/webapp/components/NotificationMenu/NotificationMenu.vue b/webapp/components/NotificationMenu/NotificationMenu.vue
index 9e94e07d7..d0e21bf96 100644
--- a/webapp/components/NotificationMenu/NotificationMenu.vue
+++ b/webapp/components/NotificationMenu/NotificationMenu.vue
@@ -137,11 +137,6 @@ export default {
       },
       subscribeToMore: {
         document: notificationAdded(),
-        variables() {
-          return {
-            userId: this.user.id,
-          }
-        },
         updateQuery: (previousResult, { subscriptionData }) => {
           const {
             data: { notificationAdded: newNotification },
diff --git a/webapp/graphql/User.js b/webapp/graphql/User.js
index fcdac0989..4b743a0e3 100644
--- a/webapp/graphql/User.js
+++ b/webapp/graphql/User.js
@@ -245,8 +245,8 @@ export const notificationAdded = () => {
     ${postFragment}
     ${groupFragment}
 
-    subscription notifications($userId: ID!) {
-      notificationAdded(userId: $userId) {
+    subscription notifications {
+      notificationAdded {
         id
         read
         reason

From f7c381efd820e11f872544516df3c35ec0c6e850 Mon Sep 17 00:00:00 2001
From: Ulf Gebhardt <ulf.gebhardt@webcraft-media.de>
Date: Thu, 20 Jul 2023 13:44:04 +0200
Subject: [PATCH 2/3] subscription chatMessageAdded security fix

---
 backend/src/schema/resolvers/messages.ts  | 4 ++--
 backend/src/schema/types/type/Message.gql | 2 +-
 webapp/components/Chat/Chat.vue           | 3 ---
 webapp/graphql/Messages.js                | 4 ++--
 4 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/backend/src/schema/resolvers/messages.ts b/backend/src/schema/resolvers/messages.ts
index b7e7a7a73..c1381045f 100644
--- a/backend/src/schema/resolvers/messages.ts
+++ b/backend/src/schema/resolvers/messages.ts
@@ -25,8 +25,8 @@ export default {
     chatMessageAdded: {
       subscribe: withFilter(
         () => pubsub.asyncIterator(CHAT_MESSAGE_ADDED),
-        (payload, variables) => {
-          return payload.userId === variables.userId
+        (payload, variables, context) => {
+          return payload.userId === context.user?.id
         },
       ),
     },
diff --git a/backend/src/schema/types/type/Message.gql b/backend/src/schema/types/type/Message.gql
index 71d175e1c..16e458151 100644
--- a/backend/src/schema/types/type/Message.gql
+++ b/backend/src/schema/types/type/Message.gql
@@ -46,5 +46,5 @@ type Query {
 }
 
 type Subscription {
-  chatMessageAdded(userId: ID!): Message
+  chatMessageAdded: Message
 }
diff --git a/webapp/components/Chat/Chat.vue b/webapp/components/Chat/Chat.vue
index c2c7c412c..a1e5adf01 100644
--- a/webapp/components/Chat/Chat.vue
+++ b/webapp/components/Chat/Chat.vue
@@ -195,9 +195,6 @@ export default {
     // Subscriptions
     const observer = this.$apollo.subscribe({
       query: chatMessageAdded(),
-      variables: {
-        userId: this.currentUser.id,
-      },
     })
 
     observer.subscribe({
diff --git a/webapp/graphql/Messages.js b/webapp/graphql/Messages.js
index cb5d37df9..ffa2760f9 100644
--- a/webapp/graphql/Messages.js
+++ b/webapp/graphql/Messages.js
@@ -54,8 +54,8 @@ export const messageQuery = () => {
 
 export const chatMessageAdded = () => {
   return gql`
-    subscription chatMessageAdded($userId: ID!) {
-      chatMessageAdded(userId: $userId) {
+    subscription chatMessageAdded {
+      chatMessageAdded {
         _id
         id
         indexId

From 604e1d8465bc6054eebc1f16b6778c6d34507cb9 Mon Sep 17 00:00:00 2001
From: Ulf Gebhardt <ulf.gebhardt@webcraft-media.de>
Date: Thu, 20 Jul 2023 13:44:23 +0200
Subject: [PATCH 3/3] subscription roomCountUpdated security fix

---
 backend/src/schema/resolvers/rooms.ts                        | 4 ++--
 backend/src/schema/types/type/Room.gql                       | 2 +-
 .../components/ChatNotificationMenu/ChatNotificationMenu.vue | 5 -----
 webapp/graphql/Rooms.js                                      | 4 ++--
 4 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/backend/src/schema/resolvers/rooms.ts b/backend/src/schema/resolvers/rooms.ts
index 5e931a446..5382c5ee7 100644
--- a/backend/src/schema/resolvers/rooms.ts
+++ b/backend/src/schema/resolvers/rooms.ts
@@ -20,8 +20,8 @@ export default {
     roomCountUpdated: {
       subscribe: withFilter(
         () => pubsub.asyncIterator(ROOM_COUNT_UPDATED),
-        (payload, variables) => {
-          return payload.userId === variables.userId
+        (payload, variables, context) => {
+          return payload.userId === context.user?.id
         },
       ),
     },
diff --git a/backend/src/schema/types/type/Room.gql b/backend/src/schema/types/type/Room.gql
index 0cf5b22c8..221df8299 100644
--- a/backend/src/schema/types/type/Room.gql
+++ b/backend/src/schema/types/type/Room.gql
@@ -57,5 +57,5 @@ type Query {
 }
 
 type Subscription {
-  roomCountUpdated(userId: ID!): Int
+  roomCountUpdated: Int
 }
diff --git a/webapp/components/ChatNotificationMenu/ChatNotificationMenu.vue b/webapp/components/ChatNotificationMenu/ChatNotificationMenu.vue
index ec3f9fbc7..dd36b965a 100644
--- a/webapp/components/ChatNotificationMenu/ChatNotificationMenu.vue
+++ b/webapp/components/ChatNotificationMenu/ChatNotificationMenu.vue
@@ -44,11 +44,6 @@ export default {
       },
       subscribeToMore: {
         document: roomCountUpdated(),
-        variables() {
-          return {
-            userId: this.user.id,
-          }
-        },
         updateQuery: (previousResult, { subscriptionData }) => {
           return { UnreadRooms: subscriptionData.data.roomCountUpdated }
         },
diff --git a/webapp/graphql/Rooms.js b/webapp/graphql/Rooms.js
index 757a6cfa4..577eb8eff 100644
--- a/webapp/graphql/Rooms.js
+++ b/webapp/graphql/Rooms.js
@@ -52,8 +52,8 @@ export const unreadRoomsQuery = () => {
 
 export const roomCountUpdated = () => {
   return gql`
-    subscription roomCountUpdated($userId: ID!) {
-      roomCountUpdated(userId: $userId)
+    subscription roomCountUpdated {
+      roomCountUpdated
     }
   `
 }