feat(nestjs-query): effective authorizer on websocket connections

[asorian0]

Relates to #958, which is related to authorizer is not applied to subscriptions. This fact allows any legit user to sniff on any subscription operation, even if the data should be banned to that user.

Solution consists in creating an unique channel name based on data provided in authorizer, if any. If no authorizer is supplied, it behaves as of now.

Usage

Authorizer in your code, in this case we have populated the request with the claims from JWT, so we can bind the authorizer to unique "userId" value in order to make sure that only that user will be able to receive events created/update/delete which "receiverId" value is the same as "userId" value.

@Injectable()
export class MyAuthorizer implements Authorizer<MyDto> { 
  authorize(context: GenericContext, authorizationContext: AuthorizationContext): Promise<Filter<MyDto>> {
    return Promise.resolve({ receiverId: { eq: context.req.user.userId } });
  }

  authorizeRelation(relationName: string, context: GenericContext): Promise<Filter<unknown>> {
    return Promise.resolve({});
  }
}

How it works

Basically it picks the authorizer object of type Filter<MyDto> and creates an unique string based on its contents. The function that handles that is on helpers.ts and it is called getUniqueNameForEvent. This way it binds the event to an unique "channel", allowing to encapsulate for a single user or set of users some events.

@doug-martin thanks for your work!

[doug-martin]

This will be in v0.28.1 working on getting a few more things merged then I'll release. Thanks for your work on figuring this one out!