I opened a ticket in pubnub and also read: https://help.pubnub.com/entries/22251291-Can-I-Hide-my-Application-Keys-
But I still can't understand how can I stop the user from seeing my keys as it is still on client side even after obfuscation.
What I want to do is something I read in this post: PubNub publish message between two Private Channels
- Create a public channel and a private the channel for each user
- Hide the keys from the user
I'm not sure how to create a private channel with custom keys that the user can't see.
EDIT: I was able to understand the flow of auth_key but can't find the php equivalency for the JS crypto lib to grant permission. any idea on how to implement it in PHP?
Hiding Your API Keys with PubNub JS SDK
With PubNub Access Manager you no longer need to worry about hiding your
publish_key
andsubscribe_key
in your source code in JavaScript or any other language! Typically you would consider that hiding your keys becomes a means to preventing access to streams of data on your PubNub Channels. However this is not necessary and there is a best practices method to use instead: The following is your solution for the new way to manage access and the new way to manage your keys.PubNub Access Manager Example JS/PHP Grant Revoke SDK
You can issue per-user connection
grant()
andrevoke()
access in realtime on the PubNub global Real-Time Network. Various levels of security within the PubNub network using a grant/revoke (whitelist) permission scheme, where the first grant found in the hierarchy grants read/write access. Permissions are evaluated for both publish and subscribe based on this hierarchy. Ourpam.php
PubNub Access Manager PHP Class is finally ready to go! You can get started by seeing the example usage code below with full code coverage of the SDK. You can find all source code via the GitHub Gist Link:Include PAM and Initialize class access
Grant User Access
Grant access to user with
authkey
ofgZW5jb2RlZCBmaWx
withread
andwrite
access for5
minutettl
. You can make theauthkey
anything you want!Grant User Presence Access
Also grant access to the presence channel (required for PubNub Dev Console).
Grant GLOBAL Access (to all users)
Exclude the
authkey
and you can global grant access to all.Forever Grant Access
You can grant access forever by setting the
ttl
param to0
.Revoke User Access
Instantly revoke access to a user.
Revoke Global Access
You can also revoke Global Access by excluding the
authkey
param.PAM (PubNub Access Manager) PHP Class SDK
pam.php
The full file can be found here: PubNub Access Manager (PAM) PHP Full Library for Granting and Revoking Access
PubNub Dev Console Test Link:
WARNING: PubNub Dev Console Requires Grant on Presence Channel too! You can set the presence access by granting on the suffix of
-pnpres
channel name.You can't hide keys that are transmitted to the client and are accessible in JavaScript.
However, what you can do is restrict who can read and write to channels by using an
auth_key
along with your publish and subscribe keys. PubNub recently released the PubNub Access Manager to enable this. Theauth_key
will be specific to each user.auth_key
will allow that user to read and write to their own private channel. You will need to set permissions so that nobody else will be able to read or write to this channel.auth_key
will give them permission to read and write to their own public channel. Others can read, but cannot write to this channel.Details on exactly how to do this should probably be asked in another question. The PAM getting started guide should be the best place to start.