I don't understand how do the private channels in Laravel work.
When I listen to a private channel:
window.Echo.private('activity')
.listen('ActivityCreated', (e) => {
console.log("Activity Created", e);
}
);
Laravel makes a request on /broadcasting/auth/ to verify my backend allows my frontend to listen to this socket. The exchanged information is some encrypted information.
What I don't understand is that anybody can subscribe to any channel:
./pusher channels apps --app-id=12345678 --channel=private-activity subscribe
Successfully subscribed to channel 'private-activity'.
Event: channel=private-activity event=App\Events\ActivityCreated message=[]
What am I missing?
Laravel Echo isn't more than a wrapper to the Pusher Library UTSL. Behind the scenes, you have the Pusher app well documented here
Pusher will only allow connections to private Channels after the request being signed from your server
routes/channels.php. Once your backend has allowed the client to access the channel it just JWT the authorization back to the client which then forwards it as the access key to Pusher through the WSS.Even if your transmission is compromised you should not be vulnerable to a MITM attack because.