From f7c381efd820e11f872544516df3c35ec0c6e850 Mon Sep 17 00:00:00 2001
From: Ulf Gebhardt <ulf.gebhardt@webcraft-media.de>
Date: Thu, 20 Jul 2023 13:44:04 +0200
Subject: [PATCH] subscription chatMessageAdded security fix

---
 backend/src/schema/resolvers/messages.ts  | 4 ++--
 backend/src/schema/types/type/Message.gql | 2 +-
 webapp/components/Chat/Chat.vue           | 3 ---
 webapp/graphql/Messages.js                | 4 ++--
 4 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/backend/src/schema/resolvers/messages.ts b/backend/src/schema/resolvers/messages.ts
index b7e7a7a73..c1381045f 100644
--- a/backend/src/schema/resolvers/messages.ts
+++ b/backend/src/schema/resolvers/messages.ts
@@ -25,8 +25,8 @@ export default {
     chatMessageAdded: {
       subscribe: withFilter(
         () => pubsub.asyncIterator(CHAT_MESSAGE_ADDED),
-        (payload, variables) => {
-          return payload.userId === variables.userId
+        (payload, variables, context) => {
+          return payload.userId === context.user?.id
         },
       ),
     },
diff --git a/backend/src/schema/types/type/Message.gql b/backend/src/schema/types/type/Message.gql
index 71d175e1c..16e458151 100644
--- a/backend/src/schema/types/type/Message.gql
+++ b/backend/src/schema/types/type/Message.gql
@@ -46,5 +46,5 @@ type Query {
 }
 
 type Subscription {
-  chatMessageAdded(userId: ID!): Message
+  chatMessageAdded: Message
 }
diff --git a/webapp/components/Chat/Chat.vue b/webapp/components/Chat/Chat.vue
index c2c7c412c..a1e5adf01 100644
--- a/webapp/components/Chat/Chat.vue
+++ b/webapp/components/Chat/Chat.vue
@@ -195,9 +195,6 @@ export default {
     // Subscriptions
     const observer = this.$apollo.subscribe({
       query: chatMessageAdded(),
-      variables: {
-        userId: this.currentUser.id,
-      },
     })
 
     observer.subscribe({
diff --git a/webapp/graphql/Messages.js b/webapp/graphql/Messages.js
index cb5d37df9..ffa2760f9 100644
--- a/webapp/graphql/Messages.js
+++ b/webapp/graphql/Messages.js
@@ -54,8 +54,8 @@ export const messageQuery = () => {
 
 export const chatMessageAdded = () => {
   return gql`
-    subscription chatMessageAdded($userId: ID!) {
-      chatMessageAdded(userId: $userId) {
+    subscription chatMessageAdded {
+      chatMessageAdded {
         _id
         id
         indexId