The current implementation assumes the Cookies are shared. This works in most cases (when domain is the same), but not when different domain is used.
The Pusher implementation uses the client JS to authenticate the subscription request, by just sending a XHR request to the broadcast route, which generates an hash based on the key + data. This hash is validated on the Pusher server (I guess), thus no cookies are shared with Pusher, only the local XHR request. (See https://pusher.com/docs/authenticating_users)
This has the advantage that you can authenticate locally and connect to a host on different server, without using alternative methods (JWT?). Downside is that a key/secret needs to be shared with the Laravel app.
So current:
Server needs to know auth url
Server needs to receive cookies
Laravel doesn't need anything (except default redis)
Client only needs the host/port of the server
Alternative:
Server only needs to know the shared key/secret
Laravel needs to know key/secret
Client only needs the host/port and the local part of auth url (mostly the same)
Cookies are automatically shared
Is there a reason the first method is chosen? I think it's probably too late to change now, but might something to look into of we ever need a new version or something..
okaufmann
commented
7 years ago
The current implementation assumes the Cookies are shared. This works in most cases (when domain is the same), but not when different domain is used.
The Pusher implementation uses the client JS to authenticate the subscription request, by just sending a XHR request to the broadcast route, which generates an hash based on the key + data. This hash is validated on the Pusher server (I guess), thus no cookies are shared with Pusher, only the local XHR request. (See https://pusher.com/docs/authenticating_users)
This has the advantage that you can authenticate locally and connect to a host on different server, without using alternative methods (JWT?). Downside is that a key/secret needs to be shared with the Laravel app.
So current:
Alternative:
Is there a reason the first method is chosen? I think it's probably too late to change now, but might something to look into of we ever need a new version or something..