how to secure laravel-echo-server connectivity

Question

I use from socket.io and laravel-echo-server for sending my events to all clients by a public channel but I want just my clients (like my mobile apps and web apps) to be able to connect to laravel-echo-server, not others, like pusher system with an app-key and a secret-word, how can I do this?

update: finally, I have to use from a private channel and in mobile client everything is ok but at the web app (admin panel) laravel-echo-server can't connect to channel and authorize by csrf-token. this is my code : in the header:

<meta name="csrf-token" content="{{ csrf_token() }}">

in javascript:

Echo.private('channel')
            .listen('event', (e) => {
                console.log(e);
            });

finally, I resolved this, by private channel and a custom middleware for authorizing users, but I was forced to create a table for store token for admin users and use from it to authorizing admin users site in middleware by sending users token in the client side, also for mobiles client I use jwt token for authorizing — saman

ceejayoz ceejayoz · Accepted Answer · 2019-06-04T17:56:53

https://laravel.com/docs/5.8/broadcasting#authorizing-channels

Private channels require you to authorize that the currently authenticated user can actually listen on the channel. This is accomplished by making an HTTP request to your Laravel application with the channel name and allowing your application to determine if the user can listen on that channel. When using Laravel Echo, the HTTP request to authorize subscriptions to private channels will be made automatically; however, you do need to define the proper routes to respond to these requests.

It's a little involved, but fairly straightforward. The docs will walk you through setting up the correct routes, Echo configuration, etc.

how to secure laravel-echo-server connectivity

2 Answers