Pubnub-CodeNameOne library - missing methods (Access Manager)

1
votes

I am using the Pubnub library (Pubnub-CodeNameOne-3.7.8.cn1lib) in my social app project (which includes a real-time chat that I implemented with your great tutorial: https://www.codenameone.com/blog/building-a-chat-app-with-codename-one-part-5.html).

But since Apple will no longer accept http URL connections from applications, I had to reinforce the security of my app, and so I decided to use HTTPS and activate the Access Manager feature in Pubnub dashboard (I followed the Pubnub tutorial https://www.pubnub.com/docs/codenameone-java/pam-security#understanding_access_manager_permissions_hierarchy).

So I changed the instantiation of Pubnub in my CN1 project like :

pb = new Pubnub(PUBNUB_PUB_KEY, PUBNUB_SUB_KEY, SECRET_KEY, true);//enable SSL
pb.setAuthKey(USER_UIID);

Unfortunately I still get an error when I subscribe/publish through Pubnub:

[Error 112-0] : Authentication Failure. Incorrect Authentication Key : {"message":"Forbidden","payload":{"channels":["myChannelID"]},"error":true,"service":"Access Manager","status":403}

Therefore, I would like to perform administrative PAM functions, such as granting or revoking, in order to solve the above error message problem. But I don’t find the pubnub.pamGrant(), or pubnub.pamRevoke() methods which are mentioned in the Pubnub tutorial. So I am still stuck on this error.

Have you an idea about how I can resolve this? Thank you very much for your help.

1
sslhttpscodenameonepubnub
That seems to be an issue in the pubnub library, I don't think we can help from our side - Shai Almog
I transformed by comment (that I deleted) into a formal answer below. Please review and accept if it works or comment with more questions where you need further clarifications. - Craig Conover

1 Answers

0
votes

PubNub Access Manager & SSL/TLS

While you should be using Access Manager to secure your channels on a per device/user basis, Access Manager is not required in order to use PubNub over TLS (SSL is the deprecated/vulnerable predecessor and often these terms are used interchangeably).

So your initialization code is correct to enable TLS (https connections) when PubNub operations are invoked.

pb = new Pubnub(PUBNUB_PUB_KEY, PUBNUB_SUB_KEY, SECRET_KEY, true);

But if you enable Access Manager on your key set (pub/sub keys), then you are required to grant permissions (read, write & manage) for channels on auth-keys. Each end user should have a unique auth-key that has the permissions for the channels that are required for that user to publish, subscribe, get history, presence, etc.

You grant permissions from your secure server which you initialize PubNub with the publish, subscribe and secret keys (secret key is required to execute the grant API). With v4 PubNub SDKs, the server has super admin permissions when it inits with the secret key. v3 SDKs require the server to grant itself access to its own auth-key but since Codename One is for mobile client apps, you don't need to wait for a v4 PubNub SDK for Codename One. And I would assume you would be using Java on your server and our v4 Java SDK v4 has the super admin permissions feature when initialized with the secret key. NOTE: the docs need to be updated as they still state that an auth-key is required even when secret key is used to init.

So my recommendation is, enable SSL (TLS) as you are already doing for your server and clients but disable Access Manager for the short term. Once you have your base functionality working, integrate the use of Access Manager and auth-keys into your server and clients.