Level 7
take a look on pusher documentation for private channels: https://pusher.com/docs/client_api_guide/client_private_channels and for authenticating users: https://pusher.com/docs/authenticating_users
Aug 19, 2015
4
Level 5
Pusher Security
My application has a two way messaging system. When a consultation is active, when viewing the consultation each of the 2 users that are party to the consultation can post to a message box. I have this now set up so that when someone posts, the other user sees the new message on screen without refreshing. I am doing this via the following subscription:
var pusher = new Pusher('{{config('broadcasting.connections.pusher.key')}}', {
encrypted: true
});
var channel = pusher.subscribe('consult_{{ $consult->id }}_messages');
Loving it. However I am wondering about security. For example If I opened Chrome dev tools and manually changed the ID so a different channel, would I now be able to see messages on that channel? If so how does one secure this so that only the right people can subscribe to the channel?
Level 5
Thanks @igorblumberg I just came across that. Will see what I can figure out there.
Level 5
@JeffreyWay any chance we can get a quick tutorial on this? Having some trouble ;)
Level 10
Keep your data within your own system. You don't have to send any sensitive data through pusher if you don't want to. Just broadcast ids and then your app will check permissions before retrieving and displaying any content.
A simple example: A user posts a new comment with data representation of { id:4, message: "Hello! My date of birth is 01/01/1975" }. So instead of sending the 'message' through pusher, simply send the id. Then when the client receives the notification you do an ajax request to get the comment from the db matching that id. This means pusher doesn't need to know about any sensitive data. And your system can do all the necessary auth checks before displaying it.
Please or to participate in this conversation.