Broadcasting a PubSub to all users, but also include identity of a specific user?

at_bash · March 29, 2019, 11:14am

Hi, so I’ve been working on an extension to complement a quiz show game in the style of 1 vs 100, where there is a specific user going up against everyone else. Because of this particular asymmetry in the game, when I broadcast a PubSub to all users to present the next question which works fine, I also need to be able to identify one specific player as the “1” (as determined from the EBS side), as the extension needs to play slightly differently for that one user only.

At the moment, what I’m doing is broadcasting the specific user ID that is the “1” in the PubSub message, which works, since I can compare that against what I retrieved from the JWT on authorization in the extension. However, I feel that I might be missing something security-wise, since I’m basically broadcasting a user ID in the clear with the PubSub message, and all the other users just don’t need to know that information at all anyway.

I guess, it’s a two-part question.

Is what I’m doing ok security-wise, or am I right with my gut feeling of I’m doing something wrong?
Is it possible to send a PubSub to a specific user, rather than to all users in one go? If that’s possible, then that would likely solve my problem, as I’d just send the special broadcast to the “1” only, which would eliminate any need for sending identifying tokens in the message data completely.

BarryCarlyon · March 29, 2019, 1:35pm

As per the docs

You can send to a channel or all extensions, or just one user

You just need to send to “whisper-<userId>” instead of “broadcast”

as noted in the JWT schema

at_bash · March 29, 2019, 1:40pm

Ah cool, didn’t see that on my first glance through. Thanks for that

BarryCarlyon · March 29, 2019, 1:44pm

Essentially this is fine, you are only “leaking” someones userID and most users are not really gonna be digging about looking at the packets you are sending to your extension to try and break in so sending a userID doesn’t matter to much since those are public.

It’s not “bad”

at_bash · March 30, 2019, 6:42pm

Alright, thanks for that.

However, I’ve just tried sending some extension whisper messages, but seem to be getting nowhere with it.

From what I’ve read up, the topic should be “whisper-SomeOpaqueUserId”, which I can send and receive a 204 code back without problem. On the viewer side of things, in the onAuthorized event, I’m doing:

twitch.onAuthorized(function(auth)
{
    twitch.listen(`whisper-${auth.userId}`, function(target, contentType, content)
    {
        twitch.rig.log('PubSub whisper received');
        twitch.rig.log(content);
    });
});

But I’m not getting anything hitting that listen for the whisper.

I did notice that inspecting the JWT, it didn’t list a whisper listen perm though:

{"exp":9999999999,"opaque_user_id":"xxx","role":"viewer","pubsub_perms": {"listen":["broadcast","global"]},"channel_id":"xxx","user_id":"xxx","iat":999999999}

Should the whisper be listed here as a possible perm in the JWT? If it should be, have you got any ideas why it might not be listed here?

at_bash · April 4, 2019, 5:51pm

Ok, ended up looking into the reason myself.

Seems that testing the extension in hosted mode on an actual channel does provide a JWT payload that includes the whisper topic; testing locally in the Developer Rig does not though.