Isnt this "unsafe"?

[sinnbeck]

I have read through the source, and it seems that all chat is done on a single private channel called 'private-chatify'. On this channel, all messages are sent. That would also mean that if someone were to open developer tools (f12), select Network and then WS (Websockets), they would be able to see all messages sent? Yes the package does make sure you only see you own chat messages, but as that is done using Javascript, anyone can read ALL messages.

[munafio]

It may be "unsafe" as you said! because I tried to make this package as simple as I can for other developers so I used the simplest techniques with this package .. and also I may not noticed that!!.. but, I'll re-develop it completely with better, secure, easy and clean code .. and this will be fixed in the next releases
Many Thanks for you.

[sinnbeck]

No worries. I was just looking at the source as I am building something similar (using pusher with laravel echo). I am joining a personal private channel ('private-direct.' + user.id), which I then push to, using laravels own broadcasting (using your implementation should probably be able to do the same) :)

Something like

send() method on controller

Chatify::push('private-chatify.' . $request['id'], 'messaging', [
                'from_id' => Auth::user()->id,
                'to_id' => $request['id'],
                'message' => Chatify::messageCard($messageData, 'default')
            ]);

and js

// subscribe to the channel
var channel = pusher.subscribe('private-chatify.' + auth_id);

[munafio]

This will be solved as your suggestion and maybe with some changes in a better way..
Thanks to you.

[laurencei]

@munafio, what is the eta for v2 that you mentioned?

p.s. seems like an amazing package - great work.

[munafio]

@laurencei I can not tell you right now, BUT! As soon as possible will be there😁

[elliters]

This has been a year now, is this get solved ?

[munafio]

This has been a year now, is this get solved ?

Yes, since v1.2.x as I can remember.

[stayallive]

This package is still using a single socket channel as of today for realtime so be cautious using this, the Pusher authentication endpoint also authorizes any channel for any authenticated user so be careful exposing that if you use other private channels with more sensitive data.

chatify/src/Http/Controllers/MessagesController.php

Lines 177 to 182 in d49fcc3

	// send to user using pusher
	Chatify::push('private-chatify', 'messaging', [
	'from_id' => Auth::user()->id,
	'to_id' => $request['id'],
	'message' => Chatify::messageCard($messageData, 'default')
	]);

[aneesdev]

@munafio it's 2022 and you till haven't done anything sadly

[munafio]

@munafio it's 2022 and you till haven't done anything sadly

Hi 👋
Sorry for that, but the reason behind it is that there is no support for my work to keep up with 🤷🏻‍♂️ also because of my own business... but the next days I will work on it to fix this security issue.
Hope to be released very soon.. till then, you can do/customize whatever you want since Chatify is fully customizable ❤️
Regards