Laravel Websockets - Private Channel

Question

I am fiddling with Laravel websockets for the first time. Currently i am just using plain JS WebSocket client (not Laravel Echo).

They way i see it, laravel echo provides an 'authEndpoint' for private and presence channels.

This allows you to create Broadcast::channel() callback that looks like this

Broadcast::channel('App.User.{id}', function ($user, $id) {
    return (int) $user->id === (int) $id;
});

What puzzles me now, is that when i make a websocket connection with the WebSocket native client and i dont provide the auth endpoint, i can just subscribe to my private channel, and thus bypass all auth completely?

Is this correct or am i missing something?

My goal is to have private channels that reject access is the auth endpoint was not provided.

Since I cannot comment yet - see: https://stackoverflow.com/questions/43341820/laravel-echo-allow-guests-to-connect-to-presence-channel?rq=1 — gboone, Sep 25 '20 at 20:59
thanks for your reply. i have checked that link, but that seems to state the opposite from what i am seeing? — Guardian, Sep 26 '20 at 12:06

gboone · Answer 1 · 2020-09-26T19:57:30.727

0

What does your broadcast routing look like? Any middleware?

From Laravel:

Broadcast::channel('channel', function () {
    // ...
}, ['guards' => ['web', 'admin']]);

edited Sep 26 '20 at 19:57

answered Sep 26 '20 at 19:50

gboone

93
10

I have not applied any middlewares myself currently – Guardian Sep 28 '20 at 08:07

Laravel Websockets - Private Channel

1 Answers1