Why Do You Require Server Authentication To Use Client Events?

Allowing a client to publish events on any channel opens up a number of issues. Instead we only allow clients to publish if they have authenticated with your servers as a user you trust to do this. By authenticating a user on a channel that allows client events, bear in mind the following:

Potential for abuse

A channel with a large number of subscribers needs to be protected from rogue clients publishing messages. If there are 1,000,000 people connected, and a client chooses to publish 10 events per second, this could result in a significant number of messages being sent and your plan limits being reached very quickly. In worst case scenarios there could event be a degradation of service (depending on factors such as the size of the message etc).

Spoofing

Client events cannot be trusted, they don't go through an authoritative server to validate them before being distributed to other people. In a fairly innocuous example of abuse, a client could post messages in a chat room pretending to be another user (later versions of some client SDKs support user_id metadata - https://pusher.com/docs/client_api_guide/client_events#user-id-client-events). Being a bit more devious, they could do things like take advantage of XSS vulnerabilities that may be present within an application. In all situations where client events are used the application receiving them should verify the event data before using it. This is one of the reasons we've added the client- prefix requirement.

Stealing your quotas

Finally, if your Pusher subscriptions which support client events aren't in some way tied to your secret keys via an authentication mechanism, nothing would stop someone from taking the public key from your web page and using it in their applications.

While people can already theoretically subscribe to public channels using your public key, there isn’t much point in doing so. Given the ability to publish client events makes them useful though. Unfortunately, the usage would be on your account.

Other

Why do we prefix 'client-' onto events?

So that people can't spoof trusted events that are published from your server.

Still have questions? Please reach out to our Support team by visiting this page.

Last updated