Can I use Pusher Channel Authentication with Web Framework CSRF Protection?
Problem
The Pusher JavaScript client library makes an authentication AJAX request when subscribing to a Private or Presence channel. This AJAX request is done in the form of a POST request.
By default a POST request from JavaScript is intercepted and forbidden with a 403 response with many web frameworks such as Ruby on Rails and Laravel as it will be seen as a Cross-site Request forgery attempt.
Solution
The solution depends on the client library that you are using:
JavaScript
Parameters to be sent along with the authentication request can be set in the Pusher constructor options parameter.
An alternative is to use jsonp authentication, as this is made using a GET request so shouldn't be treated as CSRF attempt. See https://pusher.com/docs/channels/server_api/authenticating-users#jsonp_auth_endpoints
iOS/Objective-C
The documentation for setting HTTP headers for libPusher can be found here:
https://github.com/pusher/libPusher#channel-authorization
Android/Java
The documentation for setting HTTP headers for pusher-websocket-java can be found here: http://pusher.github.io/pusher-websocket-java/com/pusher/client/util/HttpAuthorizer.html#setHeaders(java.util.HashMap).
Still have questions? Please reach out to our Support team by visiting this page.
Last updated