Pusher Channel Authentication and Web Framework CSRF Protection

Problem

The Pusher JavaScript client library makes an authentication AJAX request when subscribing to a Private or Presence channel. This AJAX request is done in the form of a POST request.

By default a POST request from JavaScript is intercepted and forbidden with a 403 response with many web frameworks such as Ruby on Rails and Laravel as it will be seen as a Cross-site Request forgery attempt.

Solution

The solution depends on the client library that you are using:

JavaScript

Parameters to be sent along with the authentication request can be set in the Pusher constructor options parameter.


var options = {
  auth: {
    headers: {
      'X-CSRF-Token': 'YOUR_TOKEN_VALUE',
    }
  }
};
var pusher = new Pusher(applicationKey, options);

iOS/Objective-C

The documentation for setting HTTP headers for libPusher can be found here: http://cocoadocs.org/docsets/libPusher/1.5/#channel-authorisation.

Android/Java

The documentation for setting HTTP headers for pusher-websocket-java can be found here: http://pusher.github.io/pusher-websocket-java/com/pusher/client/util/HttpAuthorizer.html#setHeaders(java.util.HashMap).

Was this article helpful?
0 out of 0 found this helpful
Haven't found what you were looking for?
Submit a ticket