fix: do not pass "jwt" to Authorization calls (#1499)

It's a minor thing but the JWT was being sent as part of the auth params
which is called on an RPC call increasing the payload

Author: edgurgel

lib/realtime/tenants/authorization.ex

@@ -21,12 +21,11 @@ defmodule Realtime.Tenants.Authorization do
   defstruct [:tenant_id, :topic, :headers, :jwt, :claims, :role]
 
   @type t :: %__MODULE__{
-          :tenant_id => binary() | nil,
-          :topic => binary() | nil,
-          :claims => map(),
-          :headers => keyword({binary(), binary()}),
-          :jwt => map(),
-          :role => binary()
+          :tenant_id => binary | nil,
+          :topic => binary | nil,
+          :claims => map,
+          :headers => list({binary, binary}),
+          :role => binary
         }
 
   @doc """
@@ -35,7 +34,6 @@ defmodule Realtime.Tenants.Authorization do
   Requires a map with the following keys:
   * topic: The name of the channel being accessed taken from the request
   * headers: Request headers when the connection was made or WS was updated
-  * jwt: JWT String
   * claims: JWT claims
   * role: JWT role
   """
@@ -45,7 +43,6 @@ defmodule Realtime.Tenants.Authorization do
       tenant_id: Map.get(map, :tenant_id),
       topic: Map.get(map, :topic),
       headers: Map.get(map, :headers),
-      jwt: Map.get(map, :jwt),
       claims: Map.get(map, :claims),
       role: Map.get(map, :role)
     }

lib/realtime/tenants/batch_broadcast.ex

@@ -38,7 +38,6 @@ defmodule Realtime.Tenants.BatchBroadcast do
     auth_params = %{
       tenant_id: tenant.external_id,
       headers: conn.req_headers,
-      jwt: conn.assigns.jwt,
       claims: conn.assigns.claims,
       role: conn.assigns.role
     }

lib/realtime_web/channels/realtime_channel.ex

@@ -60,8 +60,8 @@ defmodule RealtimeWeb.RealtimeChannel do
          :ok <- limit_joins(socket),
          :ok <- limit_channels(socket),
          :ok <- limit_max_users(socket),
-         {:ok, claims, confirm_token_ref, access_token, _} <- confirm_token(socket),
-         socket = assign_authorization_context(socket, sub_topic, access_token, claims),
+         {:ok, claims, confirm_token_ref} <- confirm_token(socket),
+         socket = assign_authorization_context(socket, sub_topic, claims),
          {:ok, db_conn} <- Connect.lookup_or_start_connection(tenant_id),
          {:ok, socket} <- maybe_assign_policies(sub_topic, db_conn, socket) do
       tenant_topic = Tenants.tenant_topic(tenant_id, sub_topic, !socket.assigns.private?)
@@ -308,7 +308,7 @@ defmodule RealtimeWeb.RealtimeChannel do
 
   def handle_info(:confirm_token, %{assigns: %{pg_change_params: pg_change_params}} = socket) do
     case confirm_token(socket) do
-      {:ok, claims, confirm_token_ref, _, _} ->
+      {:ok, claims, confirm_token_ref} ->
         pg_change_params = Enum.map(pg_change_params, &Map.put(&1, :claims, claims))
         {:noreply, assign(socket, %{confirm_token_ref: confirm_token_ref, pg_change_params: pg_change_params})}
 
@@ -393,8 +393,8 @@ defmodule RealtimeWeb.RealtimeChannel do
     # Update token and reset policies
     socket = assign(socket, %{access_token: refresh_token, policies: nil})
 
-    with {:ok, claims, confirm_token_ref, _, socket} <- confirm_token(socket),
-         socket = assign_authorization_context(socket, channel_name, refresh_token, claims),
+    with {:ok, claims, confirm_token_ref} <- confirm_token(socket),
+         socket = assign_authorization_context(socket, channel_name, claims),
          {:ok, db_conn} <- Connect.lookup_or_start_connection(tenant_id),
          {:ok, socket} <- maybe_assign_policies(channel_name, db_conn, socket) do
       Helpers.cancel_timer(pg_sub_ref)
@@ -567,7 +567,7 @@ defmodule RealtimeWeb.RealtimeChannel do
       interval = min(@confirm_token_ms_interval, exp_diff * 1000)
       ref = Process.send_after(self(), :confirm_token, interval)
 
-      {:ok, claims, ref, access_token, socket}
+      {:ok, claims, ref}
     else
       {:error, :token_malformed} ->
         {:error, :token_malformed, "The token provided is not a valid JWT"}
@@ -696,13 +696,12 @@ defmodule RealtimeWeb.RealtimeChannel do
     end)
   end
 
-  defp assign_authorization_context(socket, topic, access_token, claims) do
+  defp assign_authorization_context(socket, topic, claims) do
     authorization_context =
       Authorization.build_authorization_params(%{
         tenant_id: socket.assigns.tenant,
         topic: topic,
         headers: Map.get(socket.assigns, :headers, []),
-        jwt: access_token,
         claims: claims,
         role: claims["role"]
       })

mix.exs

@@ -4,7 +4,7 @@ defmodule Realtime.MixProject do
   def project do
     [
       app: :realtime,
-      version: "2.42.4",
+      version: "2.42.5",
       elixir: "~> 1.17.3",
       elixirc_paths: elixirc_paths(Mix.env()),
       start_permanent: Mix.env() == :prod,

test/realtime/tenants/authorization_test.exs

@@ -237,15 +237,11 @@ defmodule Realtime.Tenants.AuthorizationTest do
     create_rls_policies(db_conn, context.policies, %{topic: topic})
 
     claims = %{sub: random_string(), role: context.role, exp: Joken.current_time() + 1_000}
-    signer = Joken.Signer.create("HS256", "secret")
-
-    jwt = Joken.generate_and_sign!(%{}, claims, signer)
 
     authorization_context =
       Authorization.build_authorization_params(%{
         tenant_id: tenant.external_id,
         topic: topic,
-        jwt: jwt,
         claims: claims,
         headers: [{"header-1", "value-1"}],
         role: claims.role