React, API keys and intermediary services

Question

I am kind of new to React, so this might be just lack of experience, but I don't seem to find any answer to my question: I have a react app, where I need to subscribe to a push notification channel. Messages are delivered through PubNub, and in order to connect I need to supply a subscribe and a publish key to the message server. Now, I know it is not a good practice to store secrets in a react app, and they should be handled through backend services, but do I really need to create a service just to subscribe to the channel and forward the messages to my frontend app? Is this not an overkill?

The messages I am receiving are just time ticks (I need a trusted source of time), but I still don't want my API keys to leak out...

Is there any reasonably ok way for me to avoid standing up an intermediate service?

Answer 1

It is perfectly normal to have your PubNub publish and subscribe keys in client side code. If it is necessary to restrict who has the power to publish and subscribe (read/write) using those keys, the developer can enable PubNub Access Manager (PAM) in the admin panel. There are PAM guides to get you started on controlling access.

Another point to consider is that your JavaScript PubNub connection can also be used as a trusted source of time. The JS SDK time call will get a 17 place precision unix timestamp from a PubNub node:

const pubnub = new PubNub({
  publishKey: 'your_free_pubnub_publish_key',
  subscribeKey: 'your_free_pubnub_subscribe_key'
});

let pojoDateObject;

pubnub.time().then((timetokenObject) => {
    pojoDateObject = new Date(+String(timetokenObject.timetoken).substring(0,13));
});