I want to develop real time chat with channels and these are my needs:
PHP backend to manage site
Redis as session and data primary storage
Pub/Sub to send messages only to channel's interested users
one WebSocket connection with which the messages will be send and received.
(optional) NodeJS to use great npm packages like timesync or socket.io
I see two different architectures to achieve this:
with Socket.io
with Crossbar.io
These are my questions:
Which architecture I should choose and why?
The key is the user id cannot be obtained from client, because it can be malformed. So in the first architecture I think on every socket message I should attach PHPSESSID value from cookie and on sever-side retrieve PHP session from Redis. Am I right or there is better way to get user id?
I wonder if getting user id in second architecture can be done differently?
Edit:
I choosed Crossbar.io, cause it is very powerful and allows to communicate many different language applications in real time. After studying examples, I come up with this:
On every login user have generated secret key in database.
PHP client (Thruway) connect to Crossbar server and register custom WAMP-CRA authenticator
User's browser connect to Crossbar server and is challenged. Secret and auth_id (user id) are loaded from DB with page load, so it
can accomplish challenge and send response.
PHP authenticator search in DB for user with provided secret and id equal to auth_id. If there is, then it successfully authenticate
session. Now we can trust that auth_id is real user id.
These are my question:
How I can get auth_id on subscribe?
I also added cookie authentication and browser is remembered after authentication. But when I look in Chrome DevTools there is any cookie nor value in local storage. Even after clearing cache my browser is still remember by Crossbar. I wonder how it is possible?
Edit2:
Maybe I was misunderstood, but the main question was choosing appropriate architecture and getting trusted user id. There was no attention so I awarded bounty and after that I was downvoted. I read a lot about real-time apps and finally decided to use Crossbar.io, so I edited question to be related to it. Then people started upvoting, proposing another architectures, but not really answering my questions. After all I managed to do it myself and presented my answer.
About getting user id:
Every real-time chat examples which I saw, was getting id from client. It is unsafe, because client easily can manipulate it, so I needed to find another method. After reading WAMP specs I finally figured out that I have to authenticate user not only in app, but also in Crossbar.io. I choosed the dynamic WAMP-CRA method and implemented as following:
PHP app connect to Crossbar server and register custom authenticator (similar to example)
After user login in app there is generated secret key for him and saved in database. After logout, key is destroyed.
Workflow:
Every loaded page contain user id and secret key loaded from db:
<script>
auth_id = '<?php echo $user->id ?>';
secret_key = '<?php echo $user->secret_key ?>';
</script>
User browser connect to Crossbar.io server and get response with challenge from custom authenticator.
It calculate signature using key and send along with auth_id to Crossbar.io server
Authenticator gets from DB secret for provided auth_id and calculate signature. Then signatures are compared and if they are equal then authentication is successfull.
Now auth_id contain user id and we can trust its value. Now you can refer section 'How I can get auth_id on subscribe?'.
Answers:
How I can get auth_id on subscribe?
By default publishers and subscribers does not have any knowledge about each other, but documentation show there is option to change it by configuring disclosure of caller identity. Then you can get auth_id from callback details:
PHP:
$onEvent = function ($args, $argsKw, $details, $publicationId) use ($session) {
$auth_id = $details->publisher_authid;
...
}
$session->register('com.example.event', $onEvent);
JS:
function on_event(args, kwargs, details) {
auth_id = details['publisher_authid'];
...
}
session.subscribe('com.example.event', on_event);
I also added cookie authentication and browser is remembered after authentication. But when I look in Chrome DevTools there is any cookie nor value in local storage. Even after clearing cache my browser is still remember by Crossbar. I wonder how it is possible?
First of all, clearing cache and hard reload does not remove cookies. When I was asking this question there was any cookie presented, but today I can see cbtid:
There was Chrome update two days ago, so maybe this was caused by bug in previous version.
I deeply light Streamer which is used by NASA to forward truck loads of data per second.The most reliable server for real-time messaging.
Power web, mobile, tablet, desktop, and IoT apps.
Optimized data streaming for web and mobile.
Lightstreamer enables several forms of real-time messaging. It is flexible enough to be used in any scenario, including mission critical applications.
► Real-time Data Push and Web Sockets
► In-App Messaging and Push Notifications
► Pub-sub with fan-out broadcasting and one-to-one messaging
► Firewall and proxy friendly
► Adaptive bandwidth throttling
As for your first question to get the auth_id on subscription , just monitor connection subscriptions then store tier upon successful connection.
Also cookies are not recommended , use jwt.JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.Authentication is one of the big parts of every application. Security is always something that is changing and evolving.JWT helps you solve that concern.Since it is stateless.
PHP Ratchet is one of the best implementations I've used for real-time communications via WebSockets. Its based on ZMQ Sockets which is used in several online gaming applications and chat applications.
The following examples will get you started pretty quick and will answer your questions around auth_id and subscriptions:
http://socketo.me/docs/hello-world
http://socketo.me/docs/push
Overview of the Architecture:
http://socketo.me/docs/push#networkarchitecture
I would advice creating individual connections(toppics) per conversation as it doesn't really take a hit on performance and will add an additional layer of security per chat.
Related
I am looking to display the current song I am listening to on Spotify. There is an endpoint to obtain this here (Spotify Web API Player) which requires authentication through the Spotify web API.
If I have obtained a Client ID and Client Secret from my app settings, which authentication type is suited to my needs?
I've looked here (Spotify Authorization Flows) but from my understanding and confusion, I believe this cannot be done as the request for authentication would be to authenticate the user against my app and display their current song and not mine.
Fundamentally, I'm looking for a way to display my current song without the end user having to request access to my app but instead, the app uses my details.
Thanks in advance.
Arielle from Spotify here.
The Authorization Code Flow is what you're looking for, but you are correct that in a standard implementation users would see their own data (which makes sense - you usually don't want users seeing other users' data)
However, you can set it up such that you're the only one who authenticates and only your data is shown. I actually made an app to show my currently playing track a little while back. Check it out on Glitch here: https://glitch.com/edit/#!/ari-currently-playing
You can simply start editing the project to "remix" it and make your own version!
Hope this helps, let me know if you run into any issues!
I have a client that wants to take orders via an online form, with the idea being that an order can be submitted and stored in a database via my application while simultaneously generating an invoice on submission in QuickBooks.
How do I do this in PHP when the person entering in the order is not the client but a client of the client? It seems like Quickbooks uses Oauth tokens and a javascript library to generate them to connect a company to an app, but I'm simply writing a backend for one company and want that backend to create invoices when saving an order. How do I think about this?
I'm not interested in anyone having to hit a button that says "connect to quickbooks" especially not the person filling the order because again, that person is a customer and doesn't need to know about the internals of the customer's invoicing system.
I just really want to use the Accounting API to generate invoices. Is there no way to simply link my backend to my one company directly in the Quickbooks SDK configuration and achieve this, or do they need to use a javascript library to get tokens. I'm unclear about what direction I should be going in and don't want to waste time with a client-side library if I don't need it to do backend logic.
Here's some example code that does exactly what you're looking for:
https://github.com/consolibyte/quickbooks-php
Along with a quick-start guide:
http://www.consolibyte.com/docs/index.php/PHP_DevKit_for_QuickBooks_-_Intuit_Partner_Platform_Quick-Start
Also see notes about your comments below -- you're on the right track, you're just misunderstanding how OAuth works:
It seems like Quickbooks uses Oauth tokens and a javascript library to generate them to connect a company to an app, but I'm simply writing a backend for one company and want that backend to create invoices when saving an order.
Correct, Intuit uses OAuth, and a little Javascript thing to kick off the OAuth process.
I'm not interested in anyone having to hit a button that says "connect to quickbooks"
Someone needs to hit this button... BUT only ONE PERSON needs to hit the button ONCE, EVER, and then NEVER again.
The owner of the company (e.g. your boss) needs to click the button ONCE, which gives the OAuth creds (and the realm ID) to you. Once your boss has done this ONCE, then you have the creds to use forever, for all of the actual customers.
Your customers (e.g. the people actually checking out/placing orders) DO NOT click any buttons, nor do they see or have any idea at all that you're even using QuickBooks.
just really want to use the Accounting API to generate invoices.
Cool, you can totally do that!
Is there no way to simply link my backend to my one company directly in > the Quickbooks SDK configuration and achieve this, or do they need to use a javascript library to get tokens.
Follow the quick-start above. It should take you about 15 minutes to get a working OAuth connection, and then you never need to use the client-side stuff ever again.
You only need to authenticate every 180 days btw.
If you use the reconnect script, you only need to authenticate ONCE, and can automatically renew the tokens every 180 days, no user-interaction required.
https://github.com/consolibyte/quickbooks-php/blob/master/docs/partner_platform/example_app_ipp_v3/reconnect.php
Well with the realm_id for example, I don't understand how that relates to ouath.
The realm ID is just a unique identifier for the particular QuickBooks Online company you're trying to connect to. Yes, you need to store it. If you use our libs, this is done for you automatically.
I guess I don't understand if I'm developing for one client why can't I just get their realm_id from them and then keep using it rather than making them do some form of authentication?
Again, they only have to authenticate ONCE. That's Intuit's way of giving you the realm ID and credentials you need to connect. Once you've done it ONCE, you never need to do it again. It takes all of about 30 seconds.
If they were to just give you OAuth creds without any authentication, it would be a gigantic security hole. If you read the Wikipedia article on OAuth it talks in depth about this, and the goals of OAuth.
Okay I think I get it, so they have to authenticate once every 180 days?
Once every 180 days, UNLESS you use a reconnect script, in which case they just authenticate once and then never ever have to worry about it again.
So I can store the token and the realm_id in a database before it expires and just use that?
Yes.
In this way my client can authenticate and then my scripts can generate invoices for them when their customers visit our website?
Yes!
I'm making a website which is going to have different chatrooms. Any user can create a chatroom at any time, and another user may join a chatroom when it is available. Max two users can chat in a single chatroom at the same time, but multiple chatrooms can exist.
I'm using AngularJS and PHP, with the PubNub API for the chat functionality. The created chatroom will be stored in a MySQL database, with the following fields:
User1: the user who created the chatroom. It may change or be null if it leaves.
User2: it will be null at first place and will store the user's name of the person who joins the chatroom.
Closed: when both users are offline, it will be true (1), then nobody can join anymore.
I have to update the columns "user1" or "user2" when any of the users leaves the chatroom. Then, check if both users are offline and then update the closed value.
I know that I can save the user's last connection by calling a PHP function via AJAX every 60 seconds, for example. Even I could check if the other user is still online by checking his last connection in the same function, but who is going to call the function to check if the last user left?
I wonder if I have to do that verification every time either any users request the available chatlists or I have to resolve it with another approach.
I guess that I can set a timeout function in PHP each time a user joins/creates a chatroom. That function is going to update the user column to null and update the closed value if both are null. When the user is in the chatroom, each 60 seconds another function will be called to postpone the first one. But I don't know if it is possible, and if it is possible using shared hosting.
I hope you can help me and thank you very much for your attention.
PubNub Presence: Realtime vs Polling
The answer is - do not poll for presence, instead, have your server listen for changes in channel presence using PubNub Presence Web Hooks. Please read this article thoroughly as it details all the aspects of PubNub's Presence Web Hooks and then review the official documentation for PubNub Presence Web Hooks. The sample code for implementing the REST endpoint on your server to receive the web hooks is Node but you can use that code to implement that in PHP if required but if you can use Node for this purpose, it might be a better choice (and you could still use PHP for everything else).
I know your server has a chat room creation process that inserts new chat room record in your database so you don't need to know when the channel becomes active, but when user1 subscribes to the chat room channel, PubNub will send a channel active event via a web hook to your server, if you need to know when that happens.
When user2 subscribes to user1's chat room channel, PubNub will send a join event to your server via web hook and your server can use that event to update your database with user2's information.
Simultaneously, user1 and user2 will subscribe to the chat room channel and monitor presence (rather than poll with hereNow) and receive the join events, as well. When either user leaves the chat room (unsubscribes from the channel) PubNub will send a leave event via web hook to your server and directly to the user that is still subscribed.
Once the last user leaves the chat room, PubNub will send a channel inactive event to your server and your server can invoke its chat room closed process to update your database as required.
This is a fairly high level design and there are some other details to consider but the message here is do not poll PubNub for presence information. Only use hereNow to get the current state of presence of a channel and listen for further presence events from that point forward either via web hooks to your server or via presence/subscribe to your clients apps. In implementation, you actually subscribe with presence (listen for presence events) and then call hereNow.
For a more detailed discussion of your requirements as it pertains to PubNub, I would recommend contacting PubNub Support to put you in touch with a Customer Success Manager and Solution Architect.
I have a website running on shared server with apache/mysql/php. Each of the pages of the site belongs to one registered user and this user,once logged in can edit the page. Other users that are not owners of the page can only look at these pages but cannot do anything else.
Now I'm planning to add chat functionality to my application. The basic idea is that if owner of the page opens it in a browser, and is logged in, he will be shown for other users (that will be anonymous) as "available for chat". Other users visiting the page will be able to send him messages and vice versa. Anonymous users do not need to communicate with each other and they can communicate only with registered user (owner of the page). So basic structure would be like that:
anonymous user(s) visits the page. Registered owner of the page is not looking at the same page and chat is not available.
Registered owner logs in and opens his page in a browser. All registered users in real time are informed owner is available for chat now.
Anonymous users can send him messages.
Registered user receives the messages and can respond back to each user
Other users can join and chat with registered user any time. It all happens in real time and registered user can see who comes in to visit his page and goes away.
Now, in step 3 and 4 I need to know if the registered user is still logged in. If so then the messages can be passed further to intended user. If not then instead I need to send a message that the owner (registered user) is no longer available for chat.
I'm looking for advice on how to best implement it:
using old school php and ajax calls. So every user would send ajax request every second or so to server and server would keep track of each conversation somehow. Relatively easy to implement I think. I'm not expecting large number of users but I can imagine this would be heavy on the server.
using node.js.
Now my questions:
What could be possible problem with solution 1 above. Would that be too heavy on a server constantly throwing ajax requests at it? would would be reasonable number of users I could accept?
Using node js on my shared hosting.. assuming its possible to install it and run it on separate port, how would I best go about checking if registered user is still logged in or not? Any ideas would be much appreciated as am out of ideas here.
You're right that the PHP/Ajax calls can cause quite a bit of server load, especially if your Apache/PHP stack needs a lot of memory to bootstrap. Many chat modules in PHP systems, e.g. Drupal, actually offload this responsibility onto a specialized node.js server (the second approach you mentioned) to facilitate scaling.
Another approach you may consider is to use a real-time network such as PubNub to facilitate this user-to-user data transfer. PubNub has a toolkit called Presence which can help with telling who is subscribed or unsubscribed to each channel.
To fit this to your requirements, I imagine that each user will register with the page they are viewing upon landing on it, by issuing this call in your JavaScript:
<script src="https://cdn.pubnub.com/pubnub.min.js"></script>
<script>
var pubnub = PUBNUB({
uuid : '12345-page35' //You can define this for each user
})
pubnub.subscribe({
channel : 'site-wide-chat,page35', //Subscribe to two channels!
message : receive_chat, //Callback function
presence : user_joined //Callback function
})
</script>
When the "owner" logs in the other users viewing the page are notified. You can accomplish that like this:
function user_joined(event) {
if (event.uuid.match(/page35/)) { //You can set your own test here
// .... admin available for chat
}
}
Presence also has a bunch of nifty features such as the ability to get all users subscribed to the current channel:
pubnub.here_now({
channel : 'page35',
callback : function(m){console.log(m)}
});
I hope this helps you build your minimum viable product. Since everything is implemented at the programming language level, you should have a lot of flexibility crafting a customizable chat solution without adding additional complexity or overhead on your server.
I have a web-application for which I'm building a Drupal module that allows my customers to access certain data on my application.
I intend to distribute secret API-keys to my customers who need to enter that value in their copy of the Drupal module. This Drupal module then talks to my web-application, but I need to make sure that the POST requests are indeed coming from that source.
How can this 'secret key' be used to pass some information that when my application receives it, it knows:
(a) its from that client's server.
(b) it hasnt been eavesdropped on / copied and used by someone else?
Should I be using this API-key as a password to encrypt some data that matches the rest of the POST request? When receiving it, I decrypt it using my copy of their API-key and it if matches the rest of the data, I consider it validated?
Is there a frame-work that does this for me? Something within Zend?
Use HTTPS and just send the API key in the request. It's that simple.
If you use HTTP then you are going to reinvent the wheel.
Update:
Here is an update after reading the comments, because in the question you didn't explain that you want to give the API keys to visitors of the website (in which case you would be screwed no matter what you do).
The comment by juanpaco explains what to do (and what I originally assumed that you're doing anyway) but I'll try to explained it in a little bit more detail.
The most important thing is that you don't use the API key in the web form. The API key is only used in the communication between your customers servers and your API server.
Here is a simplified explanation:
You give your customer a key and some software/module/library to install on his server.
When a visitor visits your customer's website he sees some HTML generated by your module that does not include any API key and can communicate only with your customer's server (with HTTPS if there is any sensitive information or user accounts involved at all).
Your module on the customer's server gets the request from the visitor.
Your module connects to your server using the API key (with HTTPS).
Your API server responds to the customer's server.
The customer's server responds to the visitor.
Your API key is never sent in the cleartext and never given to website visitor.
This is the only reasonable way to use API keys and after I first read your questions I assumed that you are concerned about the safety of sending your API keys between your servers and the servers of your customers.
If your customers were to give their keys to every visitor of their websites then those visitors would always be able to know them, no matter how hard you would try to make it. Giving visitors API keys and making them possible to use but impossible to read would be impossible. Not hard - impossible. No matter what protocols, encryption or anything you use.
(Thanks to juanpaco for bringing this old answer to my attention.)
Collect and store every client incoming url(e.g. www.authorisedclienturl.com) as part of the parameters you would store on your server before generating an API key to be shared with the client.
The client will use HTTPS to send the API key in the request boby from their registred authorised client urls only.
Use the API key to decript the client information on your server and retrieve the registered client url, verify that the incoming request url is present in the registered urls, then accept and proceed with other processes.