aws-appsync-subscription-link 3.1.2 → 3.1.4

package/CHANGELOG.md

@@ -3,6 +3,28 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+<a name="3.1.4"></a>
+## [3.1.4](https://github.com/awslabs/aws-mobile-appsync-sdk-js/compare/aws-appsync-subscription-link@3.1.3...aws-appsync-subscription-link@3.1.4) (2026-03-24)
+
+
+### Bug Fixes
+
+* **subscription-link:** move auth credentials from URL query string to Sec-WebSocket-Protocol header ([748b45a](https://github.com/awslabs/aws-mobile-appsync-sdk-js/commit/748b45a))
+
+
+
+
+<a name="3.1.3"></a>
+## [3.1.3](https://github.com/awslabs/aws-mobile-appsync-sdk-js/compare/aws-appsync-subscription-link@3.1.2...aws-appsync-subscription-link@3.1.3) (2024-01-23)
+
+
+### Bug Fixes
+
+* exception due to illegal access to item in an empty map ([#747](https://github.com/awslabs/aws-mobile-appsync-sdk-js/issues/747)) ([82cb58e](https://github.com/awslabs/aws-mobile-appsync-sdk-js/commit/82cb58e))
+
+
+
+
 <a name="3.1.2"></a>
 ## [3.1.2](https://github.com/awslabs/aws-mobile-appsync-sdk-js/compare/aws-appsync-subscription-link@3.1.1...aws-appsync-subscription-link@3.1.2) (2022-11-17)
 

package/__tests__/link/realtime-subscription-handshake-link-test.ts

@@ -8,6 +8,20 @@ jest.mock('uuid', () => ({ v4: jest.fn() }));
 
 const query = gql`subscription { someSubscription { aField } }`
 
+/**
+ * Helper to decode a base64url-encoded header from the Sec-WebSocket-Protocol value.
+ * The protocol value is prefixed with "header-".
+ */
+function decodeProtocolHeader(protocols: string | string[]): Record<string, string> {
+  const arr = Array.isArray(protocols) ? protocols : [protocols];
+  const headerProtocol = arr.find(p => p.startsWith("header-"));
+  if (!headerProtocol) throw new Error("No header- protocol found");
+  const base64url = headerProtocol.slice("header-".length);
+  // Convert base64url back to standard base64
+  const base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+  return JSON.parse(Buffer.from(base64, "base64").toString());
+}
+
 class myWebSocket implements WebSocket {
     binaryType: BinaryType;
     bufferedAmount: number;
@@ -75,13 +89,17 @@ describe("RealTime subscription link", () => {
     });
 
     test("Initialize WebSocket correctly for API KEY", (done) => {
-        expect.assertions(2);
+        expect.assertions(3);
         jest.spyOn(Date.prototype, 'toISOString').mockImplementation(jest.fn(() => {
             return "2019-11-13T18:47:04.733Z";
         }));
         AppSyncRealTimeSubscriptionHandshakeLink.createWebSocket = jest.fn((url, protocol) => {
-            expect(url).toBe('wss://apikeytesturl1234567890123.appsync-realtime-api.us-west-2.amazonaws.com/graphql?header=eyJob3N0IjoiYXBpa2V5dGVzdHVybDEyMzQ1Njc4OTAxMjMuYXBwc3luYy1hcGkudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20iLCJ4LWFtei1kYXRlIjoiMjAxOTExMTNUMTg0NzA0WiIsIngtYXBpLWtleSI6Inh4eHh4In0=&payload=e30=');
-            expect(protocol).toBe('graphql-ws');
+            // URL should be clean — no query string with credentials
+            expect(url).toBe('wss://apikeytesturl1234567890123.appsync-realtime-api.us-west-2.amazonaws.com/graphql');
+            // Protocol should be an array with graphql-ws and header- prefix
+            expect(Array.isArray(protocol)).toBe(true);
+            const header = decodeProtocolHeader(protocol);
+            expect(header["x-api-key"]).toBe("xxxxx");
             done();
             return new myWebSocket();
         });
@@ -112,13 +130,15 @@ describe("RealTime subscription link", () => {
     });
 
     test("Initialize WebSocket correctly for API KEY with custom domain", (done) => {
-        expect.assertions(2);
+        expect.assertions(3);
         jest.spyOn(Date.prototype, 'toISOString').mockImplementation(jest.fn(() => {
             return "2019-11-13T18:47:04.733Z";
         }));
         AppSyncRealTimeSubscriptionHandshakeLink.createWebSocket = jest.fn((url, protocol) => {
-            expect(url).toBe('wss://apikeytest.testcustomdomain.com/graphql/realtime?header=eyJob3N0IjoiYXBpa2V5dGVzdC50ZXN0Y3VzdG9tZG9tYWluLmNvbSIsIngtYW16LWRhdGUiOiIyMDE5MTExM1QxODQ3MDRaIiwieC1hcGkta2V5IjoieHh4eHgifQ==&payload=e30=');
-            expect(protocol).toBe('graphql-ws');
+            expect(url).toBe('wss://apikeytest.testcustomdomain.com/graphql/realtime');
+            expect(Array.isArray(protocol)).toBe(true);
+            const header = decodeProtocolHeader(protocol);
+            expect(header["x-api-key"]).toBe("xxxxx");
             done();
             return new myWebSocket();
         });
@@ -149,13 +169,15 @@ describe("RealTime subscription link", () => {
     });
 
     test("Initialize WebSocket correctly for COGNITO USER POOLS", (done) => {
-        expect.assertions(2);
+        expect.assertions(3);
         jest.spyOn(Date.prototype, 'toISOString').mockImplementation(jest.fn(() => {
             return "2019-11-13T18:47:04.733Z";
         }));
         AppSyncRealTimeSubscriptionHandshakeLink.createWebSocket = jest.fn((url, protocol) => {
-            expect(url).toBe('wss://cognitouserpooltesturl1234.appsync-realtime-api.us-west-2.amazonaws.com/graphql?header=eyJBdXRob3JpemF0aW9uIjoidG9rZW4iLCJob3N0IjoiY29nbml0b3VzZXJwb29sdGVzdHVybDEyMzQuYXBwc3luYy1hcGkudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20ifQ==&payload=e30=');
-            expect(protocol).toBe('graphql-ws');
+            expect(url).toBe('wss://cognitouserpooltesturl1234.appsync-realtime-api.us-west-2.amazonaws.com/graphql');
+            expect(Array.isArray(protocol)).toBe(true);
+            const header = decodeProtocolHeader(protocol);
+            expect(header["Authorization"]).toBe("token");
             done();
             return new myWebSocket();
         });
@@ -186,13 +208,15 @@ describe("RealTime subscription link", () => {
     });
 
     test("Initialize WebSocket correctly for COGNITO USER POOLS with custom domain", (done) => {
-        expect.assertions(2);
+        expect.assertions(3);
         jest.spyOn(Date.prototype, 'toISOString').mockImplementation(jest.fn(() => {
             return "2019-11-13T18:47:04.733Z";
         }));
         AppSyncRealTimeSubscriptionHandshakeLink.createWebSocket = jest.fn((url, protocol) => {
-            expect(url).toBe('wss://cognitouserpools.testcustomdomain.com/graphql/realtime?header=eyJBdXRob3JpemF0aW9uIjoidG9rZW4iLCJob3N0IjoiY29nbml0b3VzZXJwb29scy50ZXN0Y3VzdG9tZG9tYWluLmNvbSJ9&payload=e30=');
-            expect(protocol).toBe('graphql-ws');
+            expect(url).toBe('wss://cognitouserpools.testcustomdomain.com/graphql/realtime');
+            expect(Array.isArray(protocol)).toBe(true);
+            const header = decodeProtocolHeader(protocol);
+            expect(header["Authorization"]).toBe("token");
             done();
             return new myWebSocket();
         });
@@ -223,13 +247,15 @@ describe("RealTime subscription link", () => {
     });
 
     test("Initialize WebSocket correctly for OPENID_CONNECT", (done) => {
-        expect.assertions(2);
+        expect.assertions(3);
         jest.spyOn(Date.prototype, 'toISOString').mockImplementation(jest.fn(() => {
             return "2019-11-13T18:47:04.733Z";
         }));
         AppSyncRealTimeSubscriptionHandshakeLink.createWebSocket = jest.fn((url, protocol) => {
-            expect(url).toBe('wss://openidconnecttesturl123456.appsync-realtime-api.us-west-2.amazonaws.com/graphql?header=eyJBdXRob3JpemF0aW9uIjoidG9rZW4iLCJob3N0Ijoib3BlbmlkY29ubmVjdHRlc3R1cmwxMjM0NTYuYXBwc3luYy1hcGkudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20ifQ==&payload=e30=');
-            expect(protocol).toBe('graphql-ws');
+            expect(url).toBe('wss://openidconnecttesturl123456.appsync-realtime-api.us-west-2.amazonaws.com/graphql');
+            expect(Array.isArray(protocol)).toBe(true);
+            const header = decodeProtocolHeader(protocol);
+            expect(header["Authorization"]).toBe("token");
             done();
             return new myWebSocket();
         });
@@ -260,13 +286,15 @@ describe("RealTime subscription link", () => {
     });
 
     test("Initialize WebSocket correctly for OPENID_CONNECT with custom domain", (done) => {
-        expect.assertions(2);
+        expect.assertions(3);
         jest.spyOn(Date.prototype, 'toISOString').mockImplementation(jest.fn(() => {
             return "2019-11-13T18:47:04.733Z";
         }));
         AppSyncRealTimeSubscriptionHandshakeLink.createWebSocket = jest.fn((url, protocol) => {
-            expect(url).toBe('wss://openidconnecttesturl.testcustomdomain.com/graphql/realtime?header=eyJBdXRob3JpemF0aW9uIjoidG9rZW4iLCJob3N0Ijoib3BlbmlkY29ubmVjdHRlc3R1cmwudGVzdGN1c3RvbWRvbWFpbi5jb20ifQ==&payload=e30=');
-            expect(protocol).toBe('graphql-ws');
+            expect(url).toBe('wss://openidconnecttesturl.testcustomdomain.com/graphql/realtime');
+            expect(Array.isArray(protocol)).toBe(true);
+            const header = decodeProtocolHeader(protocol);
+            expect(header["Authorization"]).toBe("token");
             done();
             return new myWebSocket();
         });
@@ -297,13 +325,15 @@ describe("RealTime subscription link", () => {
     });
 
     test('Initialize WebSocket correctly for AWS_LAMBDA', (done) => {
-        expect.assertions(2);
+        expect.assertions(3);
         jest.spyOn(Date.prototype, 'toISOString').mockImplementation(jest.fn(() => {
             return "2019-11-13T18:47:04.733Z";
         }));
         AppSyncRealTimeSubscriptionHandshakeLink.createWebSocket = jest.fn((url, protocol) => {
-            expect(url).toBe('wss://awslambdatesturl1234567890.appsync-realtime-api.us-west-2.amazonaws.com/graphql?header=eyJBdXRob3JpemF0aW9uIjoidG9rZW4iLCJob3N0IjoiYXdzbGFtYmRhdGVzdHVybDEyMzQ1Njc4OTAuYXBwc3luYy1hcGkudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20ifQ==&payload=e30=');
-            expect(protocol).toBe('graphql-ws');
+            expect(url).toBe('wss://awslambdatesturl1234567890.appsync-realtime-api.us-west-2.amazonaws.com/graphql');
+            expect(Array.isArray(protocol)).toBe(true);
+            const header = decodeProtocolHeader(protocol);
+            expect(header["Authorization"]).toBe("token");
             done();
             return new myWebSocket();
         });
@@ -331,13 +361,15 @@ describe("RealTime subscription link", () => {
     })
 
     test('Initialize WebSocket correctly for AWS_LAMBDA with custom domain', (done) => {
-        expect.assertions(2);
+        expect.assertions(3);
         jest.spyOn(Date.prototype, 'toISOString').mockImplementation(jest.fn(() => {
             return "2019-11-13T18:47:04.733Z";
         }));
         AppSyncRealTimeSubscriptionHandshakeLink.createWebSocket = jest.fn((url, protocol) => {
-            expect(url).toBe('wss://awslambdatesturl.testcustomdomain.com/graphql/realtime?header=eyJBdXRob3JpemF0aW9uIjoidG9rZW4iLCJob3N0IjoiYXdzbGFtYmRhdGVzdHVybC50ZXN0Y3VzdG9tZG9tYWluLmNvbSJ9&payload=e30=');
-            expect(protocol).toBe('graphql-ws');
+            expect(url).toBe('wss://awslambdatesturl.testcustomdomain.com/graphql/realtime');
+            expect(Array.isArray(protocol)).toBe(true);
+            const header = decodeProtocolHeader(protocol);
+            expect(header["Authorization"]).toBe("token");
             done();
             return new myWebSocket();
         });
@@ -373,8 +405,8 @@ describe("RealTime subscription link", () => {
             return "2019-11-13T18:47:04.733Z";
         }));
         AppSyncRealTimeSubscriptionHandshakeLink.createWebSocket = jest.fn((url, protocol) => {
-            expect(url).toBe('wss://apikeytest.testcustomdomain.com/graphql/realtime?header=eyJob3N0IjoiYXBpa2V5dGVzdC50ZXN0Y3VzdG9tZG9tYWluLmNvbSIsIngtYW16LWRhdGUiOiIyMDE5MTExM1QxODQ3MDRaIiwieC1hcGkta2V5IjoieHh4eHgifQ==&payload=e30=');
-            expect(protocol).toBe('graphql-ws');
+            expect(url).toBe('wss://apikeytest.testcustomdomain.com/graphql/realtime');
+            expect(Array.isArray(protocol)).toBe(true);
             const socket = new myWebSocket();
 
             setTimeout(() => {
@@ -452,8 +484,8 @@ describe("RealTime subscription link", () => {
             return "2019-11-13T18:47:04.733Z";
         }));
         AppSyncRealTimeSubscriptionHandshakeLink.createWebSocket = jest.fn((url, protocol) => {
-            expect(url).toBe('wss://apikeytest.testcustomdomain.com/graphql/realtime?header=eyJob3N0IjoiYXBpa2V5dGVzdC50ZXN0Y3VzdG9tZG9tYWluLmNvbSIsIngtYW16LWRhdGUiOiIyMDE5MTExM1QxODQ3MDRaIiwieC1hcGkta2V5IjoieHh4eHgifQ==&payload=e30=');
-            expect(protocol).toBe('graphql-ws');
+            expect(url).toBe('wss://apikeytest.testcustomdomain.com/graphql/realtime');
+            expect(Array.isArray(protocol)).toBe(true);
             const socket = new myWebSocket();
 
             setTimeout(() => {
@@ -521,5 +553,34 @@ describe("RealTime subscription link", () => {
         });
     });
 
+    test("URL does not contain credentials in query string", (done) => {
+        expect.assertions(2);
+        jest.spyOn(Date.prototype, 'toISOString').mockImplementation(jest.fn(() => {
+            return "2019-11-13T18:47:04.733Z";
+        }));
+        AppSyncRealTimeSubscriptionHandshakeLink.createWebSocket = jest.fn((url, protocol) => {
+            // The URL must not contain any query parameters with auth material
+            expect(url.includes("?")).toBe(false);
+            // Auth should be in the protocol header instead
+            const header = decodeProtocolHeader(protocol);
+            expect(header["x-api-key"]).toBe("my-secret-key");
+            done();
+            return new myWebSocket();
+        });
+        const link = new AppSyncRealTimeSubscriptionHandshakeLink({
+            auth: {
+                type: AUTH_TYPE.API_KEY,
+                apiKey: "my-secret-key",
+            },
+            region: "us-west-2",
+            url: "https://securitytesturl12345678901.appsync-api.us-west-2.amazonaws.com/graphql",
+        });
+
+        execute(link, { query }).subscribe({
+            error: () => { fail; },
+            next: () => { done(); },
+            complete: () => { done(); },
+        });
+    });
 
 });

package/lib/index.d.mts

@@ -0,0 +1,44 @@
+import { ApolloLink } from '@apollo/client/core';
+import { AuthOptions } from 'aws-appsync-auth-link';
+
+/*!
+ * Copyright 2017-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+declare const CONTROL_EVENTS_KEY = "@@controlEvents";
+
+type UrlInfo = {
+    url: string;
+    auth: AuthOptions;
+    region: string;
+};
+/**
+ * Route connections through a proxy (e.g. CloudFront) instead of connecting
+ * directly to AppSync. The library will send traffic to the proxy URL while
+ * using the original AppSync host for authentication.
+ *
+ * @example
+ * ```ts
+ * {
+ *   url: 'https://xxx.appsync-api.us-east-1.amazonaws.com/graphql',
+ *   region: 'us-east-1',
+ *   auth: { type: AUTH_TYPE.API_KEY, apiKey: 'da2-xxx' },
+ *   proxy: { url: 'https://d111111abcdef8.cloudfront.net/graphql' }
+ * }
+ * ```
+ */
+type ProxyConfig = {
+    /** The proxy endpoint that sits in front of AppSync (e.g. a CloudFront distribution URL). */
+    url: string;
+};
+type AppSyncRealTimeSubscriptionConfig = UrlInfo & {
+    keepAliveTimeoutMs?: number;
+    /** Optional proxy configuration for routing through CloudFront or another CDN. */
+    proxy?: ProxyConfig;
+};
+
+declare function createSubscriptionHandshakeLink(args: AppSyncRealTimeSubscriptionConfig, resultsFetcherLink?: ApolloLink): ApolloLink;
+declare function createSubscriptionHandshakeLink(url: string, resultsFetcherLink?: ApolloLink): ApolloLink;
+
+export { CONTROL_EVENTS_KEY, createSubscriptionHandshakeLink };

package/lib/index.js

@@ -11,8 +11,9 @@ var __rest = (this && this.__rest) || function (s, e) {
     return t;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSubscriptionHandshakeLink = exports.CONTROL_EVENTS_KEY = void 0;
 var subscription_handshake_link_1 = require("./subscription-handshake-link");
-exports.CONTROL_EVENTS_KEY = subscription_handshake_link_1.CONTROL_EVENTS_KEY;
+Object.defineProperty(exports, "CONTROL_EVENTS_KEY", { enumerable: true, get: function () { return subscription_handshake_link_1.CONTROL_EVENTS_KEY; } });
 var core_1 = require("@apollo/client/core");
 var http_1 = require("@apollo/client/link/http");
 var utilities_1 = require("@apollo/client/utilities");
@@ -22,7 +23,7 @@ function createSubscriptionHandshakeLink(infoOrUrl, theResultsFetcherLink) {
     var resultsFetcherLink, subscriptionLinks;
     if (typeof infoOrUrl === "string") {
         resultsFetcherLink =
-            theResultsFetcherLink || http_1.createHttpLink({ uri: infoOrUrl });
+            theResultsFetcherLink || (0, http_1.createHttpLink)({ uri: infoOrUrl });
         subscriptionLinks = core_1.ApolloLink.from([
             new non_terminating_link_1.NonTerminatingLink("controlMessages", {
                 link: new core_1.ApolloLink(function (operation, _forward) {
@@ -43,12 +44,12 @@ function createSubscriptionHandshakeLink(infoOrUrl, theResultsFetcherLink) {
     }
     else {
         var url = infoOrUrl.url;
-        resultsFetcherLink = theResultsFetcherLink || http_1.createHttpLink({ uri: url });
+        resultsFetcherLink = theResultsFetcherLink || (0, http_1.createHttpLink)({ uri: url });
         subscriptionLinks = new realtime_subscription_handshake_link_1.AppSyncRealTimeSubscriptionHandshakeLink(infoOrUrl);
     }
     return core_1.ApolloLink.split(function (operation) {
         var query = operation.query;
-        var _a = utilities_1.getMainDefinition(query), kind = _a.kind, graphqlOperation = _a.operation;
+        var _a = (0, utilities_1.getMainDefinition)(query), kind = _a.kind, graphqlOperation = _a.operation;
         var isSubscription = kind === "OperationDefinition" && graphqlOperation === "subscription";
         return isSubscription;
     }, subscriptionLinks, resultsFetcherLink);