Hi, so I’ve been working on an extension to complement a quiz show game in the style of 1 vs 100, where there is a specific user going up against everyone else. Because of this particular asymmetry in the game, when I broadcast a PubSub to all users to present the next question which works fine, I also need to be able to identify one specific player as the “1” (as determined from the EBS side), as the extension needs to play slightly differently for that one user only.
At the moment, what I’m doing is broadcasting the specific user ID that is the “1” in the PubSub message, which works, since I can compare that against what I retrieved from the JWT on authorization in the extension. However, I feel that I might be missing something security-wise, since I’m basically broadcasting a user ID in the clear with the PubSub message, and all the other users just don’t need to know that information at all anyway.
I guess, it’s a two-part question.
Is what I’m doing ok security-wise, or am I right with my gut feeling of I’m doing something wrong?
Is it possible to send a PubSub to a specific user, rather than to all users in one go? If that’s possible, then that would likely solve my problem, as I’d just send the special broadcast to the “1” only, which would eliminate any need for sending identifying tokens in the message data completely.
Essentially this is fine, you are only “leaking” someones userID and most users are not really gonna be digging about looking at the packets you are sending to your extension to try and break in so sending a userID doesn’t matter to much since those are public.
However, I’ve just tried sending some extension whisper messages, but seem to be getting nowhere with it.
From what I’ve read up, the topic should be “whisper-SomeOpaqueUserId”, which I can send and receive a 204 code back without problem. On the viewer side of things, in the onAuthorized event, I’m doing:
Seems that testing the extension in hosted mode on an actual channel does provide a JWT payload that includes the whisper topic; testing locally in the Developer Rig does not though.