Rejecting a primepush connection

Question

As I understand the way that PrimePush works, connecting to the server happens through javascript invocation from the client side.

I am worried about users hacking the javascript - trying to subscribe to channels that they do not have permission to access.

That is why I am looking for an elegant way of rejecting a PrimePush connection if I am able to identify that the user is not authorized to access that channel (e.g. subscribing to messages for another user).

It would be nice if this could be achieved through the @onOpen method.

Answer 1

In the end I ended up registering users by a unique id (e.g. session id), so that no one could guess the id. Then I would just create logic for figuring out which sockets should receive information on which events. Not as elegant I think, but it should be rather safe.