Authorized connections: a new feature in beta on Pusher Channels

Pusher Channels’ new “authorized connection” feature gives you more control over who can connect to your Channels app and more visibility of who is connected. If all your connections use private or presence channels, you do not need to do any integration work, and you can enable authorized connections in your dashboard today. Pusher Channels \[…\]

Introduction

Pusher Channels’ new “authorized connection” feature gives you more control over who can connect to your Channels app and more visibility of who is connected. If all your connections use private or presence channels, you do not need to do any integration work, and you can enable authorized connections in your dashboard today.

Pusher Channels has a two-step subscription procedure: first, a client connects to the service, then the client subscribes to multiple channels over that connection. Today, authorization on Pusher Channels is implemented per-channel: a connection must get permission to subscribe to a private channel. This means that Pusher Channels can allow anyone to open a connection to your Channels app, without compromising the security of your data. This “anonymous connection” scheme works well for public data broadcasts and allows you to start building your app without setting up an authorization endpoint.

To avoid abuse of these anonymous connections, Pusher Channels currently uses per-IP rate limiting and monitoring. However, it can still be difficult to find out who has connected to your Channels app. In the extreme, it is possible for your concurrent connection quota to be accidentally or maliciously consumed.

To combat this, Pusher Channels now supports “authorized connections”, which gives you greater visibility and control over who is connected to your Channels app. Enabling authorized connections makes two changes:

  • Your concurrent connection count is only incremented when the connection makes an authorized subscription, i.e. a subscription . to a private or presence channel.
  • If a connection fails to make an authorized subscription within 30 seconds, Pusher Channels will close the connection with error code 4009, “Connection not authorized within timeout”.

If all of your connections have at least one subscription to a private or presence channel, you can enable authorized connections today with no changes! Check “Enable connection authorization” in your App Settings:

If your app has some connections which only subscribe to public channels, enabling authorized connections will break those connections. In this case, you have a couple of options. One option is to subscribe all connections to user-specific private channels like private-user-jim. Another option is to move public-only connections onto a separate Channels app. (For example, have one Channels app for your unauthenticated homepage, and another for your authenticated dashboard.)

Released in September, this feature is currently in beta. It has been enabled by hundreds of customers and has authorized tens of thousands of connections. Here are the docs – try it out!