Is LiveQuery supported in the PHP SDK?

[khalilsarabey]

Hello good people! Just a quick question, is LiveQuery supported on Parse's PHP SDK? If not, are there any plans to implement this? or maybe someone might have a workaround to get this to work with custom code? Thanks!

[acinader]

i'm sure @montymxb will have the right answer for this, but in the meantime... I'm not sure what livequery for php would even mean? your parse php code is running on a server, usually in the context of a request from the client, which hopefully lasts for < 1s. Livequery is for clients that want to get updated, so it makes sense for javascript client libraries or the ios or android client lib that wants to get updates in real time while a user is staring at page of the app. But for python, or node or any other server code, I can't really see where you'd use livequery. If you wanted that kind of behavior on the server side, you'd make some kind of webhook that could get called by brefore or after save cloud code hooks??

[khalilsarabey]

@acinader Actually my issue with the Javascript library is the keys that are exposed, even with ACL, a user can still create a separate app on another server and call your URL with the keys exposed, and yes they can't do anything without ACL access, but they at least can flood your User class with dummy data or even overload your server, this is a major problem, which is why I decided to use PHP. If someone is so determined they can even mirror your app.

Now back to the question, I want to use LiveQuery for a chat and notification feature in the web app, I basically need to run a query (say for the chat) and when a new chat message is added from any other user I want my PHP script to be notified and I'll handle the rest from there, all this struggle is because I don't want the keys to be exposed sigh

[flovilmart]

It’s the same issue for any API server that you expose to the public, the keys are irrelevant and not a security feature, only the masterKey is.

You probably want to go with a rate limiting module or something similar, but it’s not specific to parse-server.

[khalilsarabey]

@flovilmart of course I know it's not specific to parse-server, I think it's psychological, I don't feel safe knowing that someone can create a website and use my server for it and I can't find enough docs regarding this issue online. I'm not an expert when it comes to servers, but I'm going to email nodechef to see if there's anyway to allow web access from a specific domain only, I think this can solve the whole issue?

I'm still curious about PHP though

[flovilmart]

Yes, you can most probably restrict access through CORS (cross origin resource sharing) for web pages. But that won’t prevent an attacker from posting to your API.

What you’re afraid of, is in fact, the nature of internet, having resources on endpoints publicly available URL’s :)

[khalilsarabey]

@flovilmart you're absolutely right haha As they say here in Beirut: "If you can't protect it, at least make their job harder" :))

[flovilmart]

I would then recommend you have a look at rate limiting, and other strategies that may help block undesired traffic. Companies as Cloud flare made a business out of it .)

[khalilsarabey]

@flovilmart Thanks for the tip ;) I'll look into security measures I can take with the nodechef guys, they're awesome! You've been (as usual) very helpful, thanks!

[flovilmart]

If you’re hosting on a 3rd party provider, then this kind of features should be baked into their offering. They are higher profile targets as one attacker could focus their infra in order to take down many customers at once :)

We usually see those features implemented at load balancer level, so it never reaches the application layer.

[khalilsarabey]

They do have a load balancer installed, but not a lot of details about it in the docs, it would be great if these are already implemented!

[montymxb]

Looks like I missed most of the chat 😆 . @khalilsarabey the php sdk does not currently support live query. That being said it's come across my mind more than once for potentially looking into it. As @acinader mentioned the main issue (and why JS is particularly well suited for this) is the mechanism for receiving, which would have to be a dedicated API. But with that being said you can usually do this kind of stuff in cloud code functions.

It's still something I would be interested in setting up, but I would be concerned about securing the incoming requests as we're basically opening you up to the world at that point. Braintree does something similar to this as webhooks, just like this it would be callbacks to server-side events. One of the key features that helps keep things looked up is the signing of the request, so that (assuming no one steals your keys) only the server would be able to send you a legitimate request. I'm not sure if we currently sign requests or provide an additional mechanism for authenticating the requests (probably using one of the keys provided if I were to think about it).

I do think we could setup a live query system for php, but it's not a currently priority. We would want to take our time putting it together so we don't simply create a series of 'oops' issues in case the implementation is not done properly.

Beyond the validation of the request there's also a ton of other things to keep in mind as @flovilmart mentioned. There's a lot to consider when you're using incoming traffic to run scripts.

[khalilsarabey]

@montymxb Thanks a lot for the detailed reply, I think I have a clear issue why PHP would not be suited for that at the current time. I have the iOS version of the app using PubNub for realtime communication, for some reason LiveQuery was making my debugger scream its lungs out! So I was looking for an simpler implementation for the web version which can minimize dependencies. Thanks a lot for the help guys! you're all awesome!

[flovilmart]

was making my debugger scream its lungs out

Can you give some details on that?

[yasir-munir]

Is there any update on this issue, please update if any, as per the documentation, there is no live query up till now, 22 June 2022? (Adding date for the new readers)

Thank in advance