Allow only specific members to trigger client events

[Luismahou]

Hi, I have the following use case:

• A private channel is created for a set of users.
• One member is responsible for broadcasting events.
• The rest of the members only receive events.

This is what I'm doing currently to trigger an event:

• An ajax call is made to my server.
• The server checks that the user is allowed to broadcast.
• If user is allowed, pusher server api is used to broadcast the event to all users.

What I'm doing is a bit slow (average 1-2 seconds) due to latency, server warm up, etc.

Using client events would make the whole process faster. The problem with client events is that there is no way to specify which members are allowed to broadcast events.

Would you consider extending the security model around client events?

As a first idea, I propose to extend the authentication mechanism:

• When the server responds to /pusher/auth/ step 6 of your diagram, add a field to specify the channel names where the user can trigger client events. The field will be hashed like the auth field.
• Then, when a user tries to trigger a client event, pusher server validates that is allowed to do so.

[pl]

Hi @Luismahou,

Yes, we have considered this, but we haven't had too many requests for that feature. Your use case is valid though and having such mechanism would reduce latency, but for the time being your current implementation is the only solution. I'll raise it in the team, but I can't promise you much, at least for the near future, since it's not trivial to design and implement such security model.

[Luismahou]

Well, that's a pity! Would you mind to keep the issue open for a while to see if more people show interest?

Cheers

[pl]

Sure, no problem, I don't mind keeping it open.

[timdorr]

What about having a private, authenticated channel for the user to send events over, and then have a webhook to receive those events and send them back over the public broadcast channel? It wouldn't be as fast as client-to-client communications, but it would reduce some of the network latency and HTTP overhead.

[Luismahou]

Thanks for the suggestion! I'm already using a private channel to speed up some critical communications between a specific set of users. For the rest I don't need that speed and simply broadcast events through HTTP.

[darkyen]

+1 On this model, although it seems to be a limited use-case.

[hph]

Since there hasn't been any activity on this issue for more than a year, and, more importantly, there are no plans to implement this at this time (it involves more than just pusher-js), I'm closing this issue.

[syrsly]

Isn't this a feature of Chatkit now?