0

I tried to find an answer for my question on Google but everywhere on internet I mostly find information about Private channels and Public channels on Laravel Event Broadcast.
In my recent project I used many private channels in Laravel. Today, I realized when a user submit a form using VUE JS Axios, all data will be received through private channel and it is clearly visible in any browsers developer tools.
Exactly like the image below, you see user's first name, surname, email address and all other sensitive data which is sent by Laravel Private channel and it is received through Pusher Private channel.
I am not sure if this kind of data will be protected by HTTPS layer later on live website, or not, but I feel I missed something in my codes to protect users' data!
Now my question is that can I restrict sent users' data from Back-end? Can I send ONLY necessary information and not all sensitive ones?
If my question is duplicated please help me to find the original question.
Also I attached piece of codes I used to broadcast events in Laravel and Pusher.
If anybody has any suggestion or advice about my concern, please comment or answer below. Thank you.
Laravel Broadcast Event Codes

class ContactRequests implements ShouldBroadcastNow
{
    use Dispatchable, InteractsWithSockets, SerializesModels;

    protected $receiver;
    protected $sender;

    public function __construct($receiver, $sender)
    {
        $this->receiver = $receiver;
        $this->sender = $sender;
    }

    public function broadcastOn()
    {
        return new PrivateChannel('newContactRequest.'.$this->receiver->uid);
    }

    public function broadcastWith () {
        return [
            'ContactRequest' => $this->receiver,
            'userAddable' => $this->receiver->checkAddable($this->sender),
            'requestRejectable' => $this->receiver->checkRejectable($this->sender),
            'requestAcceptable' => $this->receiver->checkAcceptable($this->sender),
            'contactSpamMarkable' => $this->receiver->checkSpamMarkable($this->sender),       
        ];
    }
}

Channels.php codes

Broadcast::channel('newContactRequest.{id}', function ($user, $id) {
    return $user->uid === $id;
});

Vue JS Pusher/Echo Codes

async catchContactRequests () {
                await Echo.private(`newContactRequest.${this.userId}`)
                    .listen('ContactRequests', (response) => {
                        this.$store.dispatch('userAddableAction', response.userAddable)
                        this.$store.dispatch('requestRejectableAction', response.requestRejectable)
                        this.$store.dispatch('requestAcceptableAction', response.requestAcceptable)
                        this.$store.dispatch('markContactSpamAction', response.contactSpamMarkable)
                    })
            }

enter image description here

Uncle John
  • 48
  • 8
  • 1
    it depends on the broadcast configuration. You can use a websocket (`ws://`) a secure websocket (`wss://`) or go over `https://`. If you go by the [laravel configuration](https://laravel.com/docs/9.x/broadcasting) and use pusher then that is by default over a secure websocket so is secure the same way https is secure – apokryfos Mar 09 '22 at 06:26
  • @apokryfos Yes I use default Laravel Broadcast Configuration. So as you said, when I upload project on domain with HTTPS layer, received data will be securely encrypted or invisible??? – Uncle John Mar 09 '22 at 06:44
  • 1
    You still need to of course take the relevant security steps to not broadcast to users who have not authenticated or to make sure users only receive broadcasts they are meant to receive (and users need to make sure they use secure credentials to not have their accounts compromised) but with respect to the transport layer, a connections over a secure layer (e.g. `wss` or `https`) are not readable by eavesdropping 3rd parties so in that sense is secure – apokryfos Mar 09 '22 at 07:12
  • @apokryfos That was clear. Thank you. And as you saw in my **Channels.php** file attached above, I tried to pass notification to that one use who **is authenticated** and who is valid to receive data. I pass user **uid"" as ```props``` to **VUE JS** component like this: ``````. So, **uid** of current logged in user must match the **uid** of the user I send from Laravel ```sendRequest``` function. Do you think is there any problem with type of authentication? – Uncle John Mar 09 '22 at 08:14
  • No that looks good to me – apokryfos Mar 09 '22 at 08:48

0 Answers0