paragonie-security
commented
3 months ago Opened a pull request #386 that should resolve this issue (and eliminate a limitation of Pusher if accpeted into each language implementation).
Open dopeh opened 5 months ago
paragonie-security
commented
3 months ago Opened a pull request #386 that should resolve this issue (and eliminate a limitation of Pusher if accpeted into each language implementation).
In issue #334 a proposal was made to allow triggering one event to multiple encrypted channels in a single API call. This resulted in https://github.com/pusher/pusher-http-php/pull/337 being merged.
However as can be seen in the pull request, the payload is encrypted using the name of the first channel that's provided (see https://github.com/pusher/pusher-http-php/blob/master/src/Pusher.php#L365). The shared secret for the event is then derived using that channel name in https://github.com/pusher/pusher-http-php/blob/master/src/PusherCrypto.php#L126C50-L126C51. So basically the shared secret is channel-specific and will be used for encrypting the payload send to all channels.
I have verified on the client-side that the event is indeed sent to all encrypted channels, but only the first channel is able to decrypt the data, all other channels are unable to decrypt the data. So this method does not work and you still need to do one API call per encrypted channel.