feat: push access token to every channel during heartbeat

Author: w3b6x9

packages/core/realtime-js/src/RealtimeClient.ts

@@ -34,6 +34,7 @@ type Message = {
 const noop = () => {}
 
 export default class RealtimeClient {
+  accessToken: string | null = null
   channels: RealtimeSubscription[] = []
   endPoint: string = ''
   headers?: { [key: string]: string } = DEFAULT_HEADERS
@@ -317,6 +318,21 @@ export default class RealtimeClient {
     return this.ref.toString()
   }
 
+  /**
+   * Sets the JWT access token used for channel subscription authorization and Realtime RLS.
+   *
+   * @param token A JWT string.
+   */
+  setAuth(token: string | null) {
+    this.accessToken = token
+
+    this.channels.forEach((channel) =>
+      channel.push(CHANNEL_EVENTS.access_token, {
+        access_token: token,
+      })
+    )
+  }
+
   private _onConnOpen() {
     this.log('transport', `connected to ${this.endPointURL()}`)
     this._flushSendBuffer()
@@ -385,11 +401,6 @@ export default class RealtimeClient {
       return
     }
     this.pendingHeartbeatRef = this.makeRef()
-    this.push({
-      topic: 'phoenix',
-      event: 'heartbeat',
-      payload: {},
-      ref: this.pendingHeartbeatRef,
-    })
+    this.setAuth(this.accessToken)
   }
 }

packages/core/realtime-js/src/lib/constants.ts

@@ -29,6 +29,7 @@ export enum CHANNEL_EVENTS {
   join = 'phx_join',
   reply = 'phx_reply',
   leave = 'phx_leave',
+  access_token = 'access_token',
 }
 
 export enum TRANSPORTS {

packages/core/realtime-js/test/socket_test.js

@@ -444,6 +444,33 @@ describe('makeRef', () => {
   })
 })
 
+describe('setAuth', () => {
+  beforeEach(() => {
+    socket = new RealtimeClient('wss://example.com/socket')
+  })
+
+  afterEach(async () => {
+    await socket.disconnect()
+  })
+
+  it('sets access token and pushes it to channels', () => {
+    const channel1 = socket.channel('test-topic1')
+    const channel2 = socket.channel('test-topic2')
+    const stub1 = sinon.stub(channel1, 'push')
+    const stub2 = sinon.stub(channel2, 'push')
+
+    socket.setAuth('token123')
+
+    assert.strictEqual(socket.accessToken, 'token123')
+    assert.ok(stub1.calledWith('access_token', {
+      access_token: 'token123',
+    }))
+    assert.ok(stub2.calledWith('access_token', {
+      access_token: 'token123',
+    }))
+  })
+})
+
 describe('sendHeartbeat', () => {
   before(() => {
     window.XMLHttpRequest = sinon.useFakeXMLHttpRequest()