How To Hide Pubnub Keys When Using Js

I opened a ticket in pubnub and also read: https://help.pubnub.com/entries/22251291-Can-I-Hide-my-Application-Keys- But I still can't understand how can I stop the user from seeing

Solution 1:

You can't hide keys that are transmitted to the client and are accessible in JavaScript.

However, what you can do is restrict who can read and write to channels by using an auth_key along with your publish and subscribe keys. PubNub recently released the PubNub Access Manager to enable this. The auth_key will be specific to each user.

1. The users auth_key will allow that user to read and write to their own private channel. You will need to set permissions so that nobody else will be able to read or write to this channel.
2. The users auth_key will give them permission to read and write to their own public channel. Others can read, but cannot write to this channel.

Details on exactly how to do this should probably be asked in another question. The PAM getting started guide should be the best place to start.

Solution 2:

Hiding Your API Keys with PubNub JS SDK

💡 Check the latest docs using PubNub Access Manager - https://www.pubnub.com/docs/security/access-control

With PubNub Access Manager you no longer need to worry about hiding your publish_key and subscribe_key in your source code in JavaScript or any other language! Typically you would consider that hiding your keys becomes a means to preventing access to streams of data on your PubNub Channels. However this is not necessary and there is a best practices method to use instead: The following is your solution for the new way to manage access and the new way to manage your keys.

PubNub Access Manager Example JS/PHP Grant Revoke SDK

You can issue per-user connection grant() and revoke() access in realtime on the PubNub global Real-Time Network. Various levels of security within the PubNub network using a grant/revoke (whitelist) permission scheme, where the first grant found in the hierarchy grants read/write access. Permissions are evaluated for both publish and subscribe based on this hierarchy. Our pam.php PubNub Access Manager PHP Class is finally ready to go! You can get started by seeing the example usage code below with full code coverage of the SDK. You can find all source code via the GitHub Gist Link:

PubNub Access Manager (PAM) PHP Full Library for Granting and Revoking Access

Include PAM and Initialize class access

require('pam.php');

$manager = new access(
    "pub-c-e132b7b4-0c2c-4d36-a828-1de1ea50d167",
    "sub-c-f95db694-6ff9-11e3-9291-02ee2ddab7fe",
    "sec-c-OWFkNWQ1NDctN2JiNy00NzJmLTk3Y2ItN2ExODZlYzkyNzY0"
);

Grant User Access

Grant access to user with authkey of gZW5jb2RlZCBmaWx with read and write access for 5 minute ttl. You can make the authkey anything you want!

print_r($manager->grant(
    "my_channel",        // CHANNEL"gZW5jb2RlZCBmaWx",  // STRING (AUTH KEY)true,                // READtrue,                // WRITE5// TTL in MINUTES
));

Grant User Presence Access

Also grant access to the presence channel (required for PubNub Dev Console).

print_r($manager->grant(
    "my_channel-pnpres", // CHANNEL"gZW5jb2RlZCBmaWx",  // STRING (AUTH KEY)true,                // READtrue,                // WRITE5// TTL in MINUTES
));

Grant GLOBAL Access (to all users)

Exclude the authkey and you can global grant access to all.

print_r($manager->grant_global(
    "my_channel", // CHANNELtrue,         // READtrue,         // WRITE5// TTL in MINUTES
));

Forever Grant Access

You can grant access forever by setting the ttl param to 0.

print_r($manager->grant_global(
    "my_channel", // CHANNELtrue,         // READtrue,         // WRITE0// FOREVER GRANT!!!
));

Revoke User Access

Instantly revoke access to a user.

print_r($manager->revoke(
    "some-other-channel", // CHANNEL"gZW5jb2RlZCBmaWx"// STRING (AUTH KEY)
));

Revoke Global Access

You can also revoke Global Access by excluding the authkey param.

print_r($manager->revoke(
    "some-other-channel"// CHANNEL
));

PAM (PubNub Access Manager) PHP Class SDK pam.php

The full file can be found here: PubNub Access Manager (PAM) PHP Full Library for Granting and Revoking Access

<?phpclassaccess{
    function__construct($pubkey, $subkey, $seckey) {
        $this->publish_key   = $pubkey;
        $this->subscribe_key = $subkey;
        $this->secret_key    = $seckey;
    }

    functiongrant_global($channel, $read=True, $write=True, $ttl=5) {
        /**  Grant GLOBAL Access on a Channel. **/return$this->_auth(array(
            "channel" => $channel,
            "r"       => $read  ? 1 : 0,
            "w"       => $write ? 1 : 0,
            "ttl"     => $ttl
        ));
    }

    functiongrant($channel, $authkey=False, $read=True, $write=True, $ttl=5) {
        /**  Grant Access on a Channel. **/return$this->_auth(array(
            "channel" => $channel,
            "auth"    => $authkey,
            "r"       => $read  ? 1 : 0,
            "w"       => $write ? 1 : 0,
            "ttl"     => $ttl
        ));
    }

    functionrevoke($channel, $authkey=False, $read=False, $write=False, $ttl=1) {
        /**  Revoke Access on a Channel.**/return$this->_auth(array(
            "channel" => $channel,
            "auth"    => $authkey,
            "r"       => $read  ? 1 : 0,
            "w"       => $write ? 1 : 0,
            "ttl"     => $ttl
        ));
    }

    function_sign($message) {
        /** Calculate a signature by secret key and message. **/return strtr( base64_encode(hash_hmac(
            'sha256',
            utf8_encode($message),
            utf8_encode($this->secret_key),
            true
        )), '+/', '-_' );
    }

    function_auth($query) { 
        /** Issue an authenticated request.**/if (!array_key_exists( 'timestamp', $query )) {
            $query['timestamp'] = time();
        }

        ## Global Grant?if ((array_key_exists('auth',$query)) && !$query['auth']) { 
            unset($query['auth']);
        }

        ## Construct String to Sign$params      = array();
        $sorted_keys = array_keys($query);
        sort($sorted_keys);

        foreach ($sorted_keysas$key) array_push(
            $params,
            $key . "=" . $query[$key]
        );

        $string_to_sign = 
            $this->subscribe_key . "\n" .
            $this->publish_key   . "\n" .
            "grant"              . "\n" .
            implode( "&", $params );

        $signature = $this->_sign($string_to_sign);
        $url       = (
            "https://pubsub.pubnub.com/v1/auth/grant/sub-key/" .
            $this->subscribe_key . "?" .
            implode( "&", $params ) .
            "&signature=" . $signature
        );

        $workspace_curl = curl_init();  
        curl_setopt( $workspace_curl, CURLOPT_RETURNTRANSFER, 1 );
        curl_setopt( $workspace_curl, CURLOPT_URL, $url );
        $result = curl_exec($workspace_curl);
        return$workspace_details =json_decode( $result, true );
    }
}

?>

pam.php: PubNub Access Manager (PAM) PHP Full Library for Granting and Revoking Access

PubNub Dev Console Test Link:

WARNING: PubNub Dev Console Requires Grant on Presence Channel too! You can set the presence access by granting on the suffix of -pnpres channel name.

http://www.pubnub.com/console/?channel=my_channel&sub=sub-c-f95db694-6ff9-11e3-9291-02ee2ddab7fe&pub=pub-c-e132b7b4-0c2c-4d36-a828-1de1ea50d167&sec=sec-c-OWFkNWQ1NDctN2JiNy00NzJmLTk3Y2ItN2ExODZlYzkyNzY0