how to hide pubnub keys when using JS
I opened a ticket in pubnub and also read: https://help.pubnub.com/entries/22251291-Can-I-Hide-my-Application-Keys-
But I still can't understand how can I stop the user from seeing my keys as it is still on client side even after obfuscation.
What I want to do is something I read in this post: PubNub publish message between two Private Channels
- Create a public channel and a private the channel for each user
- Hide the keys from the user
I'm not sure how to create a private channel with custom keys that the user can't see.
EDIT: I was able to understand the flow of auth_key but can't find the php equivalency for the JS crypto lib to grant permission. any idea on how to implement it in PHP?
Hiding Your API Keys with PubNub JS SDK
💡 Check the latest docs using PubNub Access Manager - https://www.pubnub.com/docs/security/access-control
With PubNub Access Manager you no longer need to worry about hiding your publish_key and subscribe_key in your source code in JavaScript or any other language! Typically you would consider that hiding your keys becomes a means to preventing access to streams of data on your PubNub Channels. However this is not necessary and there is a best practices method to use instead: The following is your solution for the new way to manage access and the new way to manage your keys.
PubNub Access Manager Example JS/PHP Grant Revoke SDK
You can issue per-user connection grant() and revoke() access in realtime on the PubNub global Real-Time Network. Various levels of security within the PubNub network using a grant/revoke (whitelist) permission scheme, where the first grant found in the hierarchy grants read/write access. Permissions are evaluated for both publish and subscribe based on this hierarchy. Our pam.php PubNub Access Manager PHP Class is finally ready to go! You can get started by seeing the example usage code below with full code coverage of the SDK. You can find all source code via the GitHub Gist Link:
PubNub Access Manager (PAM) PHP Full Library for Granting and Revoking Access
Include PAM and Initialize class access
require('pam.php');
$manager = new access(
"pub-c-e132b7b4-0c2c-4d36-a828-1de1ea50d167",
"sub-c-f95db694-6ff9-11e3-9291-02ee2ddab7fe",
"sec-c-OWFkNWQ1NDctN2JiNy00NzJmLTk3Y2ItN2ExODZlYzkyNzY0"
);
Grant User Access
Grant access to user with authkey of gZW5jb2RlZCBmaWx with read and write access for 5 minute ttl. You can make the authkey anything you want!
print_r($manager->grant(
"my_channel", // CHANNEL
"gZW5jb2RlZCBmaWx", // STRING (AUTH KEY)
true, // READ
true, // WRITE
5 // TTL in MINUTES
));
Grant User Presence Access
Also grant access to the presence channel (required for PubNub Dev Console).
print_r($manager->grant(
"my_channel-pnpres", // CHANNEL
"gZW5jb2RlZCBmaWx", // STRING (AUTH KEY)
true, // READ
true, // WRITE
5 // TTL in MINUTES
));
Grant GLOBAL Access (to all users)
Exclude the authkey and you can global grant access to all.
print_r($manager->grant_global(
"my_channel", // CHANNEL
true, // READ
true, // WRITE
5 // TTL in MINUTES
));
Forever Grant Access
You can grant access forever by setting the ttl param to 0.
print_r($manager->grant_global(
"my_channel", // CHANNEL
true, // READ
true, // WRITE
0 // FOREVER GRANT!!!
));
Revoke User Access
Instantly revoke access to a user.
print_r($manager->revoke(
"some-other-channel", // CHANNEL
"gZW5jb2RlZCBmaWx" // STRING (AUTH KEY)
));
Revoke Global Access
You can also revoke Global Access by excluding the authkey param.
print_r($manager->revoke(
"some-other-channel" // CHANNEL
));
PAM (PubNub Access Manager) PHP Class SDK pam.php
The full file can be found here: PubNub Access Manager (PAM) PHP Full Library for Granting and Revoking Access
<?php
class access {
function __construct( $pubkey, $subkey, $seckey ) {
$this->publish_key = $pubkey;
$this->subscribe_key = $subkey;
$this->secret_key = $seckey;
}
function grant_global( $channel, $read=True, $write=True, $ttl=5 ) {
/** Grant GLOBAL Access on a Channel. **/
return $this->_auth(array(
"channel" => $channel,
"r" => $read ? 1 : 0,
"w" => $write ? 1 : 0,
"ttl" => $ttl
));
}
function grant( $channel, $authkey=False, $read=True, $write=True, $ttl=5 ) {
/** Grant Access on a Channel. **/
return $this->_auth(array(
"channel" => $channel,
"auth" => $authkey,
"r" => $read ? 1 : 0,
"w" => $write ? 1 : 0,
"ttl" => $ttl
));
}
function revoke( $channel, $authkey=False, $read=False, $write=False, $ttl=1 ) {
/** Revoke Access on a Channel.**/
return $this->_auth(array(
"channel" => $channel,
"auth" => $authkey,
"r" => $read ? 1 : 0,
"w" => $write ? 1 : 0,
"ttl" => $ttl
));
}
function _sign($message) {
/** Calculate a signature by secret key and message. **/
return strtr( base64_encode(hash_hmac(
'sha256',
utf8_encode($message),
utf8_encode($this->secret_key),
true
)), '+/', '-_' );
}
function _auth($query) {
/** Issue an authenticated request.**/
if (!array_key_exists( 'timestamp', $query )) {
$query['timestamp'] = time();
}
## Global Grant?
if ((array_key_exists('auth',$query)) && !$query['auth']) {
unset($query['auth']);
}
## Construct String to Sign
$params = array();
$sorted_keys = array_keys($query);
sort($sorted_keys);
foreach ($sorted_keys as $key) array_push(
$params,
$key . "=" . $query[$key]
);
$string_to_sign =
$this->subscribe_key . "\n" .
$this->publish_key . "\n" .
"grant" . "\n" .
implode( "&", $params );
$signature = $this->_sign($string_to_sign);
$url = (
"https://pubsub.pubnub.com/v1/auth/grant/sub-key/" .
$this->subscribe_key . "?" .
implode( "&", $params ) .
"&signature=" . $signature
);
$workspace_curl = curl_init();
curl_setopt( $workspace_curl, CURLOPT_RETURNTRANSFER, 1 );
curl_setopt( $workspace_curl, CURLOPT_URL, $url );
$result = curl_exec($workspace_curl);
return $workspace_details =json_decode( $result, true );
}
}
?>
pam.php: PubNub Access Manager (PAM) PHP Full Library for Granting and Revoking Access
PubNub Dev Console Test Link:
WARNING: PubNub Dev Console Requires Grant on Presence Channel too! You can set the presence access by granting on the suffix of -pnpres channel name.
http://www.pubnub.com/console/?channel=my_channel&sub=sub-c-f95db694-6ff9-11e3-9291-02ee2ddab7fe&pub=pub-c-e132b7b4-0c2c-4d36-a828-1de1ea50d167&sec=sec-c-OWFkNWQ1NDctN2JiNy00NzJmLTk3Y2ItN2ExODZlYzkyNzY0
- Keep numbers which appear in both columns, in J lang
- Differentiation in J
- How to reshape an array with an arbitrary size in one dimension?
- Why is Insert (fold) right associative
- Write 4 : 'x&{.&.;: y' tacitly
- Alignment issue when printing formatted prime numbers in J language
- How can I define a verb in J that applies a different verb alternately to each atom in a list?
- How to get user input in the J programming language
- How to unbox a list of boxed lists of differing lengths in J?
- How can I fix 'noun result was required' error in J?
- In j, how can I define a verb locally in one scope and pass it to a defined adverb?
- Convert boxed array to normal array?
- Read column of CSV file as array
- Replace atom in array of strings
- What does the dyad `=` do to boxed strings?
- Index of minimum element using J
- How can I take the outer product of string vectors in J?
- Building an array of verbs in J
- Reading in multidigit command line parameter
- Amend with bond to new data shows unexpected behaviour
- How to turn a table or matrix into a (flat) list in J
- How to run dissect in J?
- How to define selection using index function in J
- How to exit the J console?
- Find 4-neighbors using J
- Writing custom verbs in J
- How do I negate a selector in J lang?
- How to use arbitrary selector in interchange in J lang?
- different result once square root is added inside tacit
- Sum of arrays with repeated indices