Send private end-to-end encrypted Broadcast notifications with Laravel through Pusher

Posted on 22. August 2021 Comments

Pusher Channels allow an end-to-end (e2e) encrypted mode for their private channels. If you’re using Pusher as the BROADCAST_DRIVER in Laravel, it’s easy to enable this not only for broadcasted events but also notifications, so you can ->notify() the user without enabling Pusher to see what the content of the message is.

This is assuming you set up the authentication callback routes/broadcasting.php and it’s reachable (by default under /broadcasting/auth.)

  1. Add receivesBroadcastNotificationsOn() for the Notifiable Model (e.g. User)
    public function receivesBroadcastNotificationsOn()
    {
        // `private-` is added automatically
        return 'encrypted-App.Models.User.' . $this->id;
    }

The default implementation would be for a normal (not e2e) private channel and just return the FQCN in dot notation, followed by the Model ID.

Simply adding encrypted- before the channel name you now choose (or stick with the default suffix as above) will signal to Laravel to encrypt the messages before sending them out to pusher.

2. Add a shared key to config/broadcasting.php

'options' => [
                'cluster' => env('PUSHER_APP_CLUSTER'),
                'useTLS' => true,
                'encryption_master_key_base64' => env('PUSHER_APP_E2E_MASTER_KEY_BASE64'),
            ],

The end2end encryption is done synchronously with a shared key, stored base64 encoded. Of course, it’s important to keep this key secret. This encryption does not provide PFS, meaning, if the key ever leaks all old messages can be decrypted. Therefore, it’s probably a good idea to rotate it regularly or possibly not even use the same key for every user by manually changing the config before sending the message.

You can securely generate a key on the commandline or use PHP:

// Commandline
$ openssl rand -base64 32

// PHP
base64_encode(bin2hex(random_bytes(32)));

3. Client side

The client side using a pusher library recognizes the private-encrypted prefix. On successful authentication against /broadcasting/auth (or your custom authentication route) the shared key is transmitted in the response and used by the client to decrypt messages sent on that channel. You don’t need to worry about key distribution.

4. Double Check in the pusher.com debug console

You should only be able to see the none and the cyphertext, but not the plaintext message. If you do, something isn’t setup correctly yet.

5. Misc

The event for notifications to listen to is .Illuminate\\Notifications\\Events\\BroadcastNotificationCreated – don’t forget the . in front of it.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.