How to generate pubnub UUID? - pubnub

I building chat application with pubnub,
I have setup everything both backend and frontend,
but in front-end, it requires another argument for UUID. Can anyone tell me where can i get the UUID? how to generate it with pubnub? Do i need to store the UUID in my datbase?
const pubnub = new PubNub({
publishKey: 'myPublishKey',
subscribeKey: 'mySubscribeKey',
uuid: 'myUniqueUUID'
});
Pubnub docs it seems worst, i have not found any information regarding generating UUID, Can anyone tell me how can i resolve it?

PubNub UUID Management Best Practices
The UUID should be something that, as the acronym implies, uniquely identifies the user (or device, server instance, etc.). The UUID can be whatever you see fit to accomplish this in your applications but there are some guidelines you should follow with respect to PubNub.
This is well-documented in the PubNub Platform Documentation, so I am not going to repeat all of that here. Please review Users & Devices: Identity Management docs, under the Connections section, for the full story.
TL;DR
Generate a UUID for the user when they register as a new user and store it in their user profile record in your system (or use PubNub Objects: UUIDMetadata).
Upon successful registration/login of a user, pass the following back to the user (the client PubNub application):
subscribe key
publish key (only need if client can send messages)
uuid (there are UUID generator APIs in PN SDKs - you can make your own but you should avoid using any PII as the UUID).
auth key (this has to do with PubNub Access Manager and not related to this post, but should be implemented for production applications)
use the above to init your PubNub object
each user/client/device should use the same UUID everytime the PubNub object is created
each server instance should have its own UUID. This can simply be a server instance name or identifier
Why are UUIDs Important in PubNub?
Again, it's all detailed in the same docs page under the UUID Impact section, but here's the highlights:
For billing purposes - it is used to calculate MAUs (Monthly Active Users)
For Presence service to work properly - uuid value is used to generate join event when a user subscribes to a channel and for all presence events and APIs.
For easy troubleshooting - if you ever have to contact PN Support, it makes it a lot easier to identify a user across multiple subscribes and other API calls if we can single out a UUID.
Have a Realtime Day!!! ;)

This is in ruby:
Pubnub::UUID.generate

Related

cross-platform private keys storage for nodejs

Question
I tried to search for a solution, with google and here at StackOverflow, but no success.
What I looking for:
I need API to generate a new keypair, like
//publicKey is either Buffer or string, so I can use it in `createPublicKey` call.
let publicKey = await impl.generate("keypairUniqueName");
Decrypt some data with key by key name
let decryptedBuffer = await impl.decrypt("keypairUniqueName", encryptedBuffer);
sign data with private key
let signatureBuffer = await impl.sign("keypairUniqueName", rawDataBuffer);
delete key by unique name
await impl.deleteKeypair("keypairUniqueName");
keys storage should be scoped to specific device, local user account, and (my) app, and ideally, with some other string parameter like in-app account or profile id, so I can call on Electron installation:
let implHive = await ImplFactory.ensureForKeysHive();
and later on adding local user record:
let impl = await implHive.createKeystore(userAccountId, localPinCode);
and on login:
let impl = await implHive.openKeystore(userAccountId, localPinCode);
ideal requirement: I should be able to do it at Windows desktop, Linux desktop, Android, iOS. Most likely context is Electron App or nodejs based CLI.
I understand I can save an encrypted files to paths like ~/.appName/keystore/userId.slot, but I need to be sure this file can not be used on other device if copied to other device with ctrl+c - ctrl+v or cp command. So for file-based impl anyway question comes where to save password or other device-scoped encryption data or device-specific keypair to make sure only my app can use that device-scoped keypair.
Does the safeStorage of electron is what I looking for regarding per-device and per platform user as way to store something that only and instance of my app on same machine can save and load?
From documentation I understood electron 's safeStorage is specific to user, not to device-user-app intersection.
In this regard I can implement something like larger password model, where account-specific key of my app stored as original password with some app-specific salt added, like
//example purposes-only
let fullAppSpecificKeysVaultPassword = "vendor-alias/my-app/account_${localPinCode}_${purposeCode}";
inside storage represented by safeStorage provided electron, but I not sure is this strategy good enough, or may be there some npm package or electron API I overlooked?
It is important that local keys vault for the app under question should be usable across installations/deinstallations/re-installations/upgrades of same app.
Is something like that exists with exact features?
All this resembles very much the Android Keystore - https://developer.android.com/training/articles/keystore#WhichShouldIUse
Especially per-app scoping.
But it is unclear is there something like that to be used in cross-platform manner by an electron and/or nodejs app.
Context, goals, Purpose, and Why
For self-education purposes I thinking about making some small app with 2 features:
public keys mapping to user aliases, random device ids and optional readable device aliases, with small profiles like name, avatar, and 1 sentence user-self description, may be more fields in profiles eventually - limited variation of keybase, with federation like Mastodon, but with rule to keep keys catalogue in sync across federation relays when joining to "relays federation" to make sure profiles intact if relay server who created them gone offline or left keys federation, or relays not available, and only profiles cached by clients are available. I find it interesting to make in context of keybase being eaten by Zoom.
end-to-end encrypted chat app that would work in environments like LAN, WiFi, and Bluetooth, and other local networking to be used both with internet and when standard internet access not available. You may say that such projects are exists already like Serval or Thali or some other, and yeah, I was inspired by them to some extent.
So, self-education aspect, and question like How much of that can I do myself using only Electron or nodejs? are main motivations behind this idea.

pubnub exposed subcribe key and publish key in frontend

I am developing a chat app and in frontend i am using reactjs
for reactjs, i am using this library: https://www.npmjs.com/package/pubnub-react
I see here, the subcribe and publish key is exposed in frontend, My question is, it it secure to add such key in frontend?
here you go for sample code:
const pubnub = new PubNub({
publishKey: 'myPublishKey',
subscribeKey: 'mySubscribeKey',
uuid: 'myUniqueUUID'
});
PubNub Access Manager
Quote from Stephen Blum (founder and CTO of Pubnub) from an answer to a duplicate question:
This is the same problem with Facebook. I can open your FB page and copy your auth_key from the network tab and gain access to your Facebook page. You must treat your PubNub auth_key the same as you would a secret intended only for the user. This is like a Session Key/ID that allows access to a data stream, similar to the way Netflix, Spotify, Facebook and Gmail provide a secure access layer.
To summarize, you cannot hide the PN keys but you can secure them by enabling and implementing PubNub Access Manager.
Read the docs from the link above, but this question has also been answered a couple of times before on Stack Overflow. The code samples there are older but the concept is the same:
Secure Pubnub subscriber key and channel name
how to hide pubnub keys when using JS
Also, always pass the pub/sub keys back to the client app from your server (along with the auth-key and the UUID) rather than hardcoding them into the client code. This allows you to swap the keys if you ever need to do so. It's rare but can be super-useful if you ever need to.

OneSignal - security concerns

I have a couple of questions about the OneSignal notification service. I have been reading the documentation and there are couple of things that bother me security-wise or I'm missing something.
As I understand the process Javascript client uses the Web Push SDK to communicate with the OneSignal API. To instantiate the communication it needs appId parameter, which is available to client.
After that the client can call getExternalId, getEmail, getTags methods to potentially gather user sensitive data. Once in possession of that data on some other device methods setExternalId and setTags can be called with gathered data to impersonate other user and receive notifications directed to them (at least those that get routed using the set parameters).
Does OneSignal presume that device (endpoint) is not compromised?
OneSignal doesnt see setExternalId misuse as a security concern, as notifications shouldn't include sensitive information, as stated in their webpush SDK github.
Only recommendations they do about external_id are its uniqueness, and complexity.
Clients can only call getTags, getEmail, getExternalId, and other methods if they know the subscriber's OneSignal player_id. Since the player_id is only known by the client, it is not possible to impersonate the user or to get this data.
Even so, OneSignal recommends against storing sensitive data in tags or other fields.

Generate secure shareable URL for access to web app (NodeJS)

I am building an application in NodeJS + Express where teams can share information with one and other and chat (kind of like an internal messaging forum).
Sometimes there is a need for the team's clients to view and edit some of this stored information on a case by case basis (e.g. a client asks a question and wants to message back and forth with the team, using my app). I don't want the client to have to sign up for an account in this case.
I am thus wondering what is the most secure strategy for generating a URL where anyone with the URL can view and edit a document/POST data to my app within the confines of a single document, without signing in?
(I've seen a couple of posts on this topic but they're quite old and don't focus on this specific case.)
First of all, I can absolutely understand the benefits, but still it is not an optimal idea. However, I would like to summarize some thoughts and recommendations that will help you with the development:
A link like this should not be able to perform critical actions or read highly sensitive data.
Access should be unique and short-lived. For example, the customer could enter his e-mail address or mobile phone number and receive an access code.
If you generate random URLs, they should be generated in a secure random manner (e.g. uuid provides a way to create cryptographically-strong random values).
If I had to design this I would provide as little functionality as possible. Also, the administrator would have to enter a trusted email address and/or mobile phone number when releasing the document. The URL with a UUIDv4 is then sent to this channel and when the customer clicks on the link, he gets a short-lived access code on a separate channel if possible (on the same channel if only one was configured). This way you prevent the danger of an unauthorized person accessing the document in case a customer forwards the original URL out of stupidity.

Messaging between users with node application

I want to implement in-app messaging in my iOS and Android application, and I am unsure about how the backend functionality should be created. From before my backend is running with Node.js and users etc. are stored with MongoDB.
I figure that I quite easily could implement messaging just by saving the messages in the database and sending a push to the recipient with the new message and also showing it in the app, but I do not want the messages to be readable on the server. It would therefore be necessary to encrypt them in the database and decrypt them on the clients.
Do anyone have any suggestions for either how the encryption could be implemented or about node frameworks to use? I have looked at socket.io, but this seem to be created for real time chatting applications, which is not exactly what I'm looking for. I have also looked at RabbitMQ, but I don't really understand if it suits my requirements or not.
Many thanks in advance!
You are talking about end to end encryption. Your encryption would be easy to break if the key for the encryption is hardcoded inside the application. In order to implement something like this, you'll need a library for iOS and a library for Android.
For iOS, I recommend using OpenSSL and implementing a encryption scheme(Public key Cryptography). For Android, you can use the Spongy Castle library.
Due to limitations with iOS push notification size, it is not a great idea to send data via PUSH.
You will also (probably)need to implement a authentication mechanism for users to login.
You can go on two paths here..
Have the server generate a secret for the clients to decrypt
Separate keys, (hashed password on database, and public/privatekeys on client)
I have not used socket.io/rabbitmq, so unfortunately I cannot help you there. It seems like you are new to this, I would take a good look & reading on public key cryptography. http://en.wikipedia.org/wiki/Public-key_cryptography#Examples

Resources