0

I recently looked in my pusher error logs and noticed:

Invalid signature: Expected HMAC SHA256 hex digest of 217478.6054950:private-production1_xxxxx_1232:{"user_id":xxxx}, but got 707d39519ca7f971a134524d8fe2ebafbddd64f42b6af0a20d6a73fxxxxxxx

In general our websockets have been working fine. We have many clients working completely fine and sockets in general seem to be working without issue. This is the first time I've noticed this error and I check the error logs fairly frequently. Is this something I should be concerned about? I can confirm that private channels are working properly in general.

On the frontend the code is as follows:

let options = PusherClientOptions(
  authMethod: AuthMethod.authRequestBuilder(authRequestBuilder: AuthRequestBuilder()
)
pusher = Pusher(key: pusherKey!, options: options)

class AuthRequestBuilder: AuthRequestBuilderProtocol {
  func requestFor(socketID: String, channel: PusherChannel) -> NSMutableURLRequest? {
    let request = NSMutableURLRequest(url: URL(string: "https://\(baseURLPrefix).xxxxxx.com/xxxxx/xxxxx")!)
    request.httpMethod = "POST"
    request.httpBody = "socket_id=\(socketID)&channel_name=\(channel.name)".data(using: String.Encoding.utf8)
    request.addValue(
      "Bearer " + authToken, forHTTPHeaderField: "Authorization"
    )
    return request
  }
}

On the backend(Laravel application):

// Controller

public function presence_auth(Request $request)
{
    $pusher = new Pusher(
        config('broadcasting.connections.pusher.key'),
        config('broadcasting.connections.pusher.secret'),
        config('broadcasting.connections.pusher.app_id')
    );

    return $pusher->presence_auth($request->input('channel_name'), $request->input('socket_id'), AuthUser()->id);
}

Would this error occur if they had passed up a bad Bearer token to our backend?

Alex Harris
  • 6,172
  • 2
  • 32
  • 57

1 Answers1

1

You're using $pusher->presence_auth to create a signature for a private channel, i.e. a channel prefixed with private-. But presence_auth is intended to authenticate presence channels, i.e. channels prefixed with presence-.

If you wish to use presence data, you can use a presence- channel prefix. If you wish to use a private- channel without presence information, you can just use:

$pusher->socket_auth($request->input('channel_name'), $request->input('socket_id'))
jameshfisher
  • 34,029
  • 31
  • 121
  • 167
  • @chasenyc that app should be configured with an auth endpoint URL (see [`AuthMethod.endpoint` in config docs](https://github.com/pusher/pusher-websocket-swift#configuration)). I would guess that the server at that URL is generating invalid auth signatures. What library is it using? – jameshfisher May 20 '17 at 15:08
  • @chasenyc the backend. If you're using `AuthMethod.endpoint` (which you probably should be, if this is a production app), the invalid signature is probably being produced by your backend at the auth URL. Are you using `AuthMethod.endpoint`? – jameshfisher May 20 '17 at 15:12
  • It is used for both private and presence, I've looked into the presence auth source code and it works fine for private. Due to some limitations in pusherswift when reconnecting we've made the conscious decision to use `presence_auth` always. I still am not sure your answer explains the cause of a once off error. – Alex Harris May 20 '17 at 15:52
  • @chasenyc sorry, I didn't realize it was a once-off error. If you have a reproducible example (e.g. your quoted log line without redacting anything, plus your Pusher app credentials), you could contact Pusher support. It's difficult to debug this in the open without revealing sensitive details. – jameshfisher May 22 '17 at 09:49