🐛 Bug Report: Realtime channel still receiving data after user session is deleted/logout

[mcchin]

👟 Reproduction steps

Config/Setup:

• I am using Appwrite v:0.13.4.304, WebSDK 7.0.0, and node-appwrite 5.0.0
• Database collection is setup as Document Level permission
• Documents read permission are assigned appropriately like so, e.g. user:UserID
• There is a collection with only couple of documents with read access for User A, but NOT User B

To reproduce:

1. Login as User A , e.g. sdk.account.createSession(User A email, User A password)

2. At a React page, using WebSDK to subscribe to a channel like so

  useEffect(() => {
    const unsubscribe = sdk.subscribe(`collections.COLLECTION_ID.documents`,
      res => {
        console.log('realtime response', res)
      }
    )

    return () => {
      unsubscribe()
    }
  }, [])

3. Update any of the documents on the said collection from Appwrite Console, and I can noticed data is received, and channel/subscription callback is executed

4. User A logout, unsubscribe() is fired, and then User A is logout like so sdk.account.deleteSession('current') / sdk.account.deleteSession(session_id)
   NOTE: Don't refresh browser page or close the browser tab, if you have refreshed browser page or close the browser tab you can't reproduce the issue

5. Update any of the documents on the said collection from Appwrite Console, at the same browser tab where sdk.account.deleteSession is executed and I can noticed data is still being received As seen in image below where data still coming into Websocket , but channel/subscription callback is NOT executed

👍 Expected behavior

As described in reproduction steps above, I am expecting Websocket stop receiving data after session is removed after sdk.account.deleteSession('current') / sdk.account.deleteSession(session_id)

👎 Actual Behavior

After sdk.account.deleteSession('current') / sdk.account.deleteSession(session_id), Websocket still receiving data

🎲 Appwrite version

Different version (specify in environment)

💻 Operating system

Linux

🧱 Your Environment

• Frontend using React 17.x, and WebSDK 7.0.0
• Backend using Node 14.x and Appwrite Node client 5.0.0

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

[mcchin]

This is a different unexpected behaviour but might share the same root cause with #24

[TorstenDittmann]

Yeah, that is actually expected behavior as of right now.

The realtime server is only aware of the session when the user connects. So once the user is connected and authenticated, the connection is assigned to a specific user - not session.

To prevent this, I can only think of re-establishing the connection after a session is /created/deleted.

This definitely require some more work and planning to fix.

[mcchin]

@TorstenDittmann

Thanks for the feedback

To avoid non-authorized user receiving data from Websocket, currently I am thinking to refresh the page after user click logout. Do you have other recommendation?

[mcchin]

I have also noticed if I have unsubscribed to a channel, although the callback is not fired but I will still be receiving data from Websocket

[TorstenDittmann]

I have also noticed if I have unsubscribed to a channel, although the callback is not fired but I will still be receiving data from Websocket

Can you provide me the list of channels where that happens?

[mcchin]

I have also noticed if I have unsubscribed to a channel, although the callback is not fired but I will still be receiving data from Websocket

Can you provide me the list of channels where that happens?

collections.COLLECTION_ID.documents is what I am using currently
But looking at the current behaviour I suspect all channels will have the same issue where when you have unsubscribed a channel you will still be receiving data messages at Websocket level. As I have also noticed when you have unsubscribed a channel nothing is sent back to server side, so I am speculating server side don't know client side has unsubscribed a channel

[TorstenDittmann]

I have also noticed if I have unsubscribed to a channel, although the callback is not fired but I will still be receiving data from Websocket

Can you provide me the list of channels where that happens?

collections.COLLECTION_ID.documents is what I am using currently But looking at the current behaviour I suspect all channels will have the same issue where when you have unsubscribed a channel you will still be receiving data messages at Websocket level. As I have also noticed when you have unsubscribed a channel nothing is sent back to server side, so I am speculating server side don't know client side has unsubscribed a channel

The logic should be, to only reconnect and therefore tell the Realtime Server the new list of channels, when you unsubscribe from a channel when there is no subscription attached to it anymore.

I'll check on my side what's happening 🙂

[xuelink]

@TorstenDittmann I think this has been fixed by #93