tlaverdure / laravel-echo-server

Socket.io server for Laravel Echo
MIT License
2.65k stars 512 forks source link

Authentication (session sharing, multi domain) #114

Open barryvdh opened 7 years ago

barryvdh commented 7 years ago

The current implementation assumes the Cookies are shared. This works in most cases (when domain is the same), but not when different domain is used.

The Pusher implementation uses the client JS to authenticate the subscription request, by just sending a XHR request to the broadcast route, which generates an hash based on the key + data. This hash is validated on the Pusher server (I guess), thus no cookies are shared with Pusher, only the local XHR request. (See https://pusher.com/docs/authenticating_users)

This has the advantage that you can authenticate locally and connect to a host on different server, without using alternative methods (JWT?). Downside is that a key/secret needs to be shared with the Laravel app.

So current:

Alternative:

Is there a reason the first method is chosen? I think it's probably too late to change now, but might something to look into of we ever need a new version or something..

okaufmann commented 7 years ago

Are there any news ?