Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect Signature Generation Due to Channel Name Normalization in PusherBroadcaster.php for private and presence channels. #52618

Open
vingrad opened this issue Aug 31, 2024 · 2 comments

Comments

@vingrad
Copy link

vingrad commented Aug 31, 2024

Laravel Version

11.21.0

PHP Version

8.2

Database Driver & Version

No response

Description

According to the Pusher documentation, the signature must include the full channel name (including prefixes like private-, presence-, and others). See the implementation example in Ruby in the official documentation:

string_to_sign = "1234.1234:private-foobar"
signature = OpenSSL::HMAC.hexdigest(digest, secret, string_to_sign)

https://pusher.com/docs/channels/library_auth_reference/auth-signatures/#private-channel

However, in the validAuthenticationResponse method in PusherBroadcaster.php, there is the following line:

$channelName = $this->normalizeChannelName($request->channel_name);

This line refers to the following implementation in UsePusherChannelConventions.php:

    public function normalizeChannelName($channel)
    {
        foreach (['private-encrypted-', 'private-', 'presence-'] as $prefix) {
            if (Str::startsWith($channel, $prefix)) {
                return Str::replaceFirst($prefix, '', $channel);
            }
        }

        return $channel;
    }

This means that the generated signature is incorrect because the channel name used for signing does not include the prefix. When sending an event on Pusher (I tested this with Soketi):

{"event":"pusher:subscribe","data":{"auth":"ab7aa03b2b2b5f54eb60ce76fb94:4111c21c574e106c05cdc416ac9f9dbfa4a29715e88235ed068b70c8082bde90","channel":"private-projects.1.tasks"}}

You receive the following error because the signature was generated using the channel name without the prefix:


{"event":"pusher:subscription_error","channel":"private-projects.1.tasks","data":{"type":"AuthError","error":"The connection is unauthorized.","status":401}}

Steps To Reproduce

Post request to: http:///api/broadcasting/auth

with the following payload:

socket_id=603005281.6444719709&channel_name=private-projects.1.tasks

Copy link

github-actions bot commented Sep 2, 2024

Thank you for reporting this issue!

As Laravel is an open source project, we rely on the community to help us diagnose and fix issues as it is not possible to research and fix every issue reported to us via GitHub.

If possible, please make a pull request fixing the issue you have described, along with corresponding tests. All pull requests are promptly reviewed by the Laravel team.

Thank you!

@mstephen77
Copy link

However, in the validAuthenticationResponse method in PusherBroadcaster.php, there is the following line...

$channelName = $this->normalizeChannelName($request->channel_name);

If you're referring to this, just wanted to let you know that a few lines above that there's a logic to authenticate private channels.

It may be that you're indeed broadcasting to a non-private channel instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants