Authorized Connections is out of beta: more protection against bugs, free-loaders, and denial-of-service attempts

Our Authorized Connections feature gives you more protection against bugs, free-loaders, and denial-of-service attempts, by giving you more control over who can connect to your Pusher Channels app. Initially released in September 2018, this feature is now out of beta! If all your connections use private or presence channels, you can enable Authorized Connections today without making any changes to your code, by checking a checkbox in your dashboard.

What problem does Authorized Connections solve?

By default, connections to your Pusher Channels app are anonymous. Anonymous connections work well for many kinds of applications which do not have authenticated users, such as publicly accessible websites; and this allows you to quickly start building your app without setting up any auth.

Pusher Channels protects you against bugs and denial-of-service attempts by using per-IP rate limiting and monitoring. However, it can still be difficult to find out who has connected to your Pusher Channels app, and in the extreme, it is possible for your concurrent connection quota to be accidentally or maliciously consumed. This is where Authorized Connections can help.

The following example shows an application which would benefit from Authorized Connections. Imagine you have a Pusher Channels app called taxi-tracker. This has seven connections from five clients — but only the first three clients are ones you know about! Client 4 could be a free-loader consuming your updates channel. Client 5 could have a bug which has opened multiple connections, or it could even be a denial-of-service attempt.

The new Authorized Connections feature lets you tell Pusher Channels that clients 1, 2 and 3 are authorized to connect, but that clients 4 and 5 are not authorized. Pusher Channels will disconnect clients 4 and 5 as unauthorized, and not count them towards your concurrent connection quota.

How does Authorized Connections help?

To combat these problems, Pusher Channels now supports Authorized Connections, which gives you greater control over who is connected to your Pusher Channels app. Authorized Connections works on top of Pusher Channels’ existing channel authorization mechanism. Pusher Channels has a two-step subscription procedure: first, a client connects to the service, then the client subscribes to multiple channels over that connection. Today, authorization on Pusher Channels is implemented per-channel: a connection must get permission to subscribe to a “private” channel, or a “presence” channel. When you enable Authorized Connections, this makes two changes:

• Your concurrent connection count is only incremented when the connection makes a subscription to a private or presence channel. This gives you more control over your connection quota.
• If a connection fails to make an authorized subscription within 30 seconds, Pusher Channels will close the connection with error code 4009, “Connection not authorized within timeout”.

Using our taxi-tracker example, enabling Authorized Connections causes all connections from clients 4 and 5 to be disconnected, because they failed to subscribe to a private or presence channel. This reduces your concurrent connection count to three: the three clients you have authorized by allowing them to subscribe to private-user-123 or presence-room-24.

How do I enable Authorized Connections?

If all of your connections have at least one subscription to a private or presence channel, you can enable Authorized Connections today with no changes! Check “Enable authorized connections” in your App Settings:

If your app has some connections which only subscribe to public channels, enabling Authorized Connections will break those connections. For example, if you have a publicly accessible homepage, with users accessing only a public channel called updates, these connections will be broken by turning on Authorized Connections. In this case, you have a couple of options:

• One option is to move the public-only connections onto a separate Pusher Channels app. (For example, have one Pusher Channels app for your unauthenticated homepage, and another for your authenticated dashboard.)
• Another option is to subscribe all connections to user-specific private channels like private-user-123.

If you are building an application with authenticated users, such as a dashboard, our Authorized Connections feature provides you with greater protection. Here are the docs for Authorized Connections. Try it out!