All geek questions in one place

Pubnub Secure Key and Channel Name

I have an application in which each user should receive notifications related only to themselves.

To do this, I created a unique channel name for each user. I subscribe to this channel when a user logs in from a browser using javascript.

pubnub = PUBNUB.init({ subscribe_key : '<subscriber-key>' }); pubnub.subscribe({ channel: "<unique-channel-name>", })

My question is: if someone gets the name of a unique user channel, can he set up his own pubnub client and receive notifications without any permission? Basically, all that protects my user data is the channel name and subscriber key, which are publicly available in the source code of the page . I looked at the pubnub access manager, but it suffers from the same problem, right? If someone opens the source code and copies the auth key, can they configure their own client and receive messages?

Edit: Additional Information

I generate and save the channel name for each user during registration. This name is a random UUID, for example, "7304cd62-9ba2-4842-98d8-8a5c8e561275". When I want to notify a user who, say, received a friend’s request, I pull the channel name from the database and post a notification. Whenever they log in, the displayed page uses Ruby to enter the name of its channel, and my subscriber key is in a hidden field that javascript uses to initialize pubnub.

 <%= my_pubnub_subscriber_key %> <%= current_user.channel.name %>

In this case, using Access Manager will mean that I will need to save the authorization key in addition to the channel name and allow the key to read the channel.

 John - john-channel - john-key-authorizing-read-on-john-channel Jane - jane-channel - jane-key-authorizing-read-on-jane-channel

The render page will have three fields for initializing pubnub:

 <%= my_pubnub_subscriber_key %> <%= john-channel %> <%= john-key %>

The original problem remains. If Jane goes to John’s house, the source code of John’s main page opens, copies 3 keys, returns home and creates her own client, she can sign up for John’s notifications. I don’t know if the recipient of my notifications really registered or just copied the keys.

I believe that to protect against this possibility, I just have to regularly update the channel name or auth key, for example, when the user logs out or daily?

+6
source share
1 answer

Securing PubNub Data Streams with ACL / Access Control

You want to protect the PubNub Subscriber Key and Channel Name. When controlling access to read and write fine grain at the connection level, it can provide authorization and access control to users, devices, and channels.

The good part . With PubNub Access Management and the ACL, you can prevent someone from creating their own PubNub client and receive notifications without any permission.

This is done using PubNub auth_key , which is an authenticated access token managed by your servers. Essentially, you want to Soften and prevent the distribution of subscriptions for your valuable data in the PubNub data stream.

Keep safe and secure - Access control for real-time data streams

You should treat your PubNub auth_key in the same way as a secret user-only one. This is similar to a session key / identifier that provides access to the data stream, similar to how Netflix, Spotify, Facebook and Gmail provide a secure level of access.

That your JavaScript should look like a secure access control.

Remark Wohhhh . There are no access keys in the JavaScript file.

 // =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= // Get User Access Keys from Your Server // =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= console.log('getting user login information'); get_user_access( 'https://myservers.com/user/login/', function(user) { var pubnub = PUBNUB({ subscribe_key : user.subscribe_key, auth_key : user.auth_key }); ready( pubnub, user ); } ); // =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= // Data Stream Connection Ready to Start // =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= function ready( pubnub, user ) { console.log('ready to subscribe to data stream channel'); pubnub.subscribe({ channel : user.channels, message : receiver }); } // =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= // Data Stream Payloads Received // =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= function receiver(data) { console.log('received secure data payload'); }

Cancel access to malicious action

What if a user logs in twice or opens more than one PubNub streaming data connection? If you find abuse, you can immediately revoke access using pubnub.revoke() .

 // =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= // Revoke Access from Your Server // =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= pubnub.revoke({ channel : 'CHANNEL_NAME', auth_key : 'BAD_APPLE_AUTH_KEY', callback : function(m){console.log(m) } });

Secure PubNub Subscriber Key and Channel Name

Protected Subscriber Key and PubNub Channel Name Securing PubNub Data Streams with ACL / Access Control

In addition, if you use Node.JS for access control, we have an interesting community forum for you that describes massive grants at a reasonable speed, using PubNub Access Manager with Node.JS for good and awesome.

+5
source

Source: https://habr.com/ru/post/979559/

More articles:


All Articles