Access control & data security

Authentication and authorization mechanisms in your chat app let you decide who can access what resources based on identity and permissions.

Additional security measures let you send and receive messages and files through your chat app, preventing unauthorized users from accessing that data.

Custom origin

A custom origin is a subdomain configured specifically for your application, such as abc.pubnubapi.com. Using a custom origin allows PubNub to route traffic uniquely for your application.

Contact support

To request a custom origin, contact PubNub Support.

Set origin

The SetPubnubOrigin() method in Unreal Chat SDK allows client devices to configure a custom origin

Origin

The subdomain used to establish a connection to the PubNub network that allows your application's traffic to appear like it's coming from your own domain.
for their PubNub requests.

Method signature

UPubnubAccessManager::SetPubnubOrigin(FString Origin)

Input

* required
ParameterDescription
Origin *
Type: FString
The custom origin to be set for PubNub requests.

Output

TypeDescription
int
0 if the origin is set successfully, +1 if it will be applied on reconnect, -1 if setting the origin is not enabled.

Basic usage

#include "Kismet/GameplayStatics.h"
#include "PubnubChatSubsystem.h"
#include "PubnubAccessManager.h"

UGameInstance* GameInstance = UGameplayStatics::GetGameInstance(ContextObject);
UPubnubChatSubsystem* PubnubChatSubsystem = GameInstance->GetSubsystem<UPubnubChatSubsystem>();
UPubnubChat* Chat = PubnubChatSubsystem->InitChat("demo", "demo", "my_user");

// Get the Access Manager
UPubnubAccessManager* AccessManager = Chat->GetAccessManager();

// Set a new custom origin
FString CustomOrigin = "abc.pubnubapi.com";
int Result = AccessManager->SetPubnubOrigin(CustomOrigin);

show all 27 lines

User authentication

In your chat app, you need to have a process of verifying the identity of all users, ensuring that they are who they claim to be.

Unreal Chat SDK doesn't provide a built-in authentication mechanism, and you'll need to implement user verification in your app on your own. Typically, this could involve a login system where users provide their credentials (username and password), token-based authentication, Single Sign-On (SSO), two-factor authentication (2FA), or external authentication services like OAuth.

User authorization

A chat app will require an authorization mechanism granting or denying access to specific PubNub resources or functionalities based on the authenticated user's permissions and privileges.

This way, you don't let your chat users delete or modify each other's metadata, publish messages on private channels, or remove messages that other chat members wrote.

Unreal Chat SDK provides authorization in your chat app through Access Manager - a secure, token-based permission administrator that lets you regulate clients' access to such PubNub resources as channels and users. By making a single call to Access Manager API, you can define multiple user permissions saying who can do what with your client or server app data.

Depending on whether you create a client or server app, there are three possible actors involved in the authorization cycle: PubNub (server), your own server, and a client device. For more details, read the authorization workflow.

Access Manager

Access Manager is available in Unreal SDK, not Unreal Chat SDK.

As long as the tokens with correct permissions are granted and set in the client that uses Unreal Chat SDK, it doesn't matter which SDK grants them.

Token permissions

When you use Access Manager, your client application will receive a token that governs the access levels and types of operations you can perform. The AccessManager->CanI() method checks if a client has permissions to perform a specific action on a given resource.

Method signature

Output

TypeDescription
bool
Whether or not the client has permissions to perform the requested operation on the requested resource.

Basic usage

Check if the current user can send messages to the customer_XYZ channel.

#include "Kismet/GameplayStatics.h"
#include "PubnubChatSubsystem.h"
#include "PubnubAccessManager.h"

UGameInstance* GameInstance = UGameplayStatics::GetGameInstance(ContextObject);
UPubnubChatSubsystem* PubnubChatSubsystem = GameInstance->GetSubsystem<UPubnubChatSubsystem>();
UPubnubChat* Chat = PubnubChatSubsystem->InitChat("demo", "demo", "my_user");

// Get the Access Manager
UPubnubAccessManager* AccessManager = Chat->GetAccessManager();

// Define the channel name and resource type
FString ChannelName = "customer_XYZ";
EPubnubAccessManagerResourceType ResourceType = EPubnubAccessManagerResourceType::PAMRT_CHANNELS;

show all 20 lines

Token management

The UPubnubAccessManager class in Unreal Chat SDK provides methods for managing the authentication token of an initialized UPubnubChat instance.

Set token

The SetAuthToken() method allows client devices to update their authentication token. This token, granted by the server, contains embedded permissions that define the client's access to PubNub resources. By setting a new token, the client ensures that its requests to PubNub are authorized according to the permissions specified in the updated token.

Method signature

void UPubnubAccessManager::SetAuthToken(FString Token)

Input

* required
ParameterDescription
Token *
Type: FString
The authentication token with embedded permissions.

Basic usage

#include "Kismet/GameplayStatics.h"
#include "PubnubChatSubsystem.h"
#include "PubnubAccessManager.h"

UGameInstance* GameInstance = UGameplayStatics::GetGameInstance(ContextObject);
UPubnubChatSubsystem* PubnubChatSubsystem = GameInstance->GetSubsystem<UPubnubChatSubsystem>();
UPubnubChat* Chat = PubnubChatSubsystem->InitChat("demo", "demo", "my_user");

// Get the Access Manager
UPubnubAccessManager* AccessManager = Chat->GetAccessManager();

// Set a new authentication token
FString AuthToken = "p0thisAkFl043rhDdHRsCkNyZXisRGNoYW6hanNlY3JldAFDZ3Jwsample3KgQ3NwY6BDcGF0pERjaGFuoENnctokenVzcqBDc3BjoERtZXRhoENzaWdYIGOAeTyWGJI";
AccessManager->SetAuthToken(AuthToken);

This method does not return any response value. If the operation fails, ensure the token is valid and properly formatted.

Parse token

The ParseToken() method decodes an existing token and returns a string containing the permissions embedded in that token. This method is useful for debugging purposes, allowing you to inspect the token's permissions and other metadata, such as its time-to-live (TTL) and authorized user ID.

Method signature

FString UPubnubAccessManager::ParseToken(FString Token)

Input

* required
ParameterDescription
Token *
Type: FString
The authentication token to decode.

Output

TypeDescription
FString
A string containing the token's permissions and metadata.

Basic usage

#include "Kismet/GameplayStatics.h"
#include "PubnubChatSubsystem.h"
#include "PubnubAccessManager.h"

UGameInstance* GameInstance = UGameplayStatics::GetGameInstance(ContextObject);
UPubnubChatSubsystem* PubnubChatSubsystem = GameInstance->GetSubsystem<UPubnubChatSubsystem>();
UPubnubChat* Chat = PubnubChatSubsystem->InitChat("demo", "demo", "my_user");

// Get the Access Manager
UPubnubAccessManager* AccessManager = Chat->GetAccessManager();

// Parse an existing token
FString Token = "p0thisAkFl043rhDdHRsCkNyZXisRGNoYW6hanNlY3JldAFDZ3Jwsample3KgQ3NwY6BDcGF0pERjaGFuoENnctokenVzcqBDc3BjoERtZXRhoENzaWdYIGOAeTyWGJI";
FString TokenDetails = AccessManager->ParseToken(Token);

show all 17 lines

Example output

The server returns the permissions in a CBOR format. You can Base 64 decode it, and parse with any a CBOR parser.

{
"v":2,
"t":1619718521,
"ttl":15,
"res":{
"usr":{},
"spc":{},
"chan":{{"ch1":19}},
"grp":{}
},
"pat":{
"usr":{},
"spc":{},
"chan":{},
"grp":{}
show all 19 lines

Operations-to-permissions mapping

The type of access level you grant on a given resource type defines which operations users can perform in your app. For example, write access given to a user for the channels resource type (either specific channels or channel patterns) lets them send messages to this channel/these channels (calling the PubNub Pub/Sub API underneath and the Unreal Chat SDK's SendText() method).

Chat SDK method to required Access Manager permission mapping

For information about which Chat SDK methods require what Access Manager permissions, refer to Security and permissions.

Last updated on