How does Pusher authentication work?

Question

How does Pusher authentication work?

I'm not sure I understood correctly how authentication works in Pusher. Here is a script that bothers me:

A user wants to subscribe to a private channel, so the Pusher library calls my server to get an authentication token.
The server checks if the user is registered and returns a token
Now the user receives this token and exits my application.
A user can subscribe to the same private channel using an authentication token from another computer, even if he is logged out.

Is point 4 valid? Will it be possible to use the auth token after the user logs out of my application?

+4

pusher

janusz Jun 06 '13 at 10:00

source share

1 answer

leggetter · Accepted Answer · 2013-06-19T22:43:24+0000

No, option 4 is not valid. An authentication token is created using a combination of a client socket identifier, channel name, and privacy. See: http://pusher.com/docs/auth_signatures

The socket identifier is a globally unique identifier for the current client connection. If the same authentication token was to be used on a different machine, the socket identifier will be different, so the authentication token will not match the one that Pusher creates when checking the token sent as part of the subscription request from the client.

How does Pusher authentication work?

More articles: