subscription chatMessageAdded security fix

backend/src/schema/resolvers/messages.ts

@@ -25,8 +25,8 @@ export default {
     chatMessageAdded: {
       subscribe: withFilter(
         () => pubsub.asyncIterator(CHAT_MESSAGE_ADDED),
-        (payload, variables) => {
-          return payload.userId === variables.userId
+        (payload, variables, context) => {
+          return payload.userId === context.user?.id
         },
       ),
     },

backend/src/schema/types/type/Message.gql

@@ -46,5 +46,5 @@ type Query {
 }
 
 type Subscription {
-  chatMessageAdded(userId: ID!): Message
+  chatMessageAdded: Message
 }

webapp/components/Chat/Chat.vue

@@ -195,9 +195,6 @@ export default {
     // Subscriptions
     const observer = this.$apollo.subscribe({
       query: chatMessageAdded(),
-      variables: {
-        userId: this.currentUser.id,
-      },
     })
 
     observer.subscribe({

webapp/graphql/Messages.js

@@ -54,8 +54,8 @@ export const messageQuery = () => {
 
 export const chatMessageAdded = () => {
   return gql`
-    subscription chatMessageAdded($userId: ID!) {
-      chatMessageAdded(userId: $userId) {
+    subscription chatMessageAdded {
+      chatMessageAdded {
         _id
         id
         indexId