Pubnub Auth Key and Auth Key Safety (Grant Token)
I have stuck in here and couldn't find a solid solution.
I use PHP in server-side and Vanilla JS in the client side.
In server-side, I'm generating a auth token (https://www.pubnub.com/docs/general/basics/manage-access) for current logged in user's channel to make him able to read his channel messsages by the following code:
I'm also generating a new one when the key timeout so all OK with the generation.
But my problem is starts here:
I'm passing the key into the client like this:
And user is getting access to the channel. But the thing is, I'm passing this auth key to the client-side. Which is someone that get this user's auth token; can setup their own client and can read messages that sent to this user.
How can I deal with that?
And another one:
I'm publishing to a channel in PHP like this. But I'm able do to that without setting auth token. I'm sure auth token system is working because when I pass wrong auth key to the client it's giving 403 forbidden. But however, I'm able to publish to channel without auth key in here. Is this because it's server-side?
Thanks!
Googled everything...
someone that get this user's auth token; can setup their own client and can read messages that sent to this user
This authorization strategy is the same as JWT. How will someone get this auth token? If you are using a secure connection to your server (TSL, aka https), and your PHP server is secured, then that is all you can do. This is the internet :)
Now how secure is the end user's machine? Are they susceptible to phishing or other schemes that might allow a hacker to gain access to their machine? Humans are the easiest thing to hack and you can't really do anything to secure them ;)
So as far as PubNub is concerned with security, you are doing exactly what very large companies have been doing for over 10 years with PubNub. The question is how secure is your server that a hacker can't get access to your code and data and get your PubNub secret key. In my 9+ years at PubNub, I've never known this to happen.
granting permissions on your channel
You are granting too many permissions but it doesn't have any negative side effects.
read-subscribe(receive messages),fetch(messages from history), and some presence stuff (get/set state,here now)write-publish(send messages)getandset- this is for PubNub Objects only which is different than pub/sub.
Again, no harm comes from granting permissions that have no effect on the resources you are granting to but it adds to the size of the auth token (just a little bit in this case).
able do to that without setting auth token
When you do setToken you are setting that on the pubnub object that you use to invoke PubNub operations. The PubNUb SDK automatically adds the auth token as a query parameter in the request. So it is being passed automatically for you.
Open your browser console, select the Network tab, and look at any PubNub request/url. You will see the query parameter names auth and the value is your auth token.
PubNub Secret Key give you all access
The secret key gives your server the ability to grant permissions (generate an auth token) AND it gives your server all access to all things in your PubNub key set. Don't let that secret key get compromised.
- Connection to socket.io with R websocket package not working
- Accessing ServletContext and HttpSession in @OnMessage of a JSR-356 @ServerEndpoint
- Can I use STOMP for Ajax-like requests?
- testing websockets with postman new api
- What is the mask in a WebSocket frame?
- WebSocket with Laravel 5.2
- How to enable Socket.IO in Azure Web PubSub using Terraform?
- how to send commands to AWS Session manager websocket url using xterm.js?
- How to kick the old session from websocket
- okhttp websocket immediately fails after connection
- Upgrading WebSockets to TLS
- Tomcat Embedded Websocket
- How can I get the member list of log-in-ed
- How to read a websocket response with cURL
- Azure PuSub with protobuf data not working
- Cannot connect to Jetty WebSocket v11
- Websocket call lost in nginx rerouting
- Python Websockets Module has no attribute
- Does the Hapi.js websocket protocol communication need to use hapi.js for the client to connect to the websocket?
- How to inspect websocket traffic with charlesproxy for iOS simulator/devices
- Why does my websock variable disappear between tests?
- Spring boot cloud gateway closes Websocket connection when package size is larger
- How do I call async_write multiple times and send data to the server? (boost::asio)
- HTTP headers in Websockets client API
- How does Websocket Browser API resolve domains?
- Using Jmeter Websocket sampler with no port number in the URL
- Laravel Echo not receiving events from Soketi websocket docker container
- ModuleNotFoundError, trying to use binance.websockets
- Use HTTP/2 instead of WebSocket
- wAssertionError: Expected a `Response`, `HttpResponse` or `StreamingHttpResponse` to be returned from the view, but received a `<class 'coroutine'>`