Manage access
Often times it's necessary to limit users' access to resources, like channels or user metadata, within your application. For instance, you can set up a one-to-one chat room by only allowing two users to send and receive messages in a specific channel.
PubNub's access manager controls client access to resources using time-limited permission tokens. These tokens are granted by PubNub and contain an embedded list of permitted operations for the SDK which has that token. Once PubNub grants a token, it's added to the client SDK's configuration and is sent with every SDK call until it expires or is revoked.
Additionally, you may define a single UUID that can use the token. This way, no other UUID can use the token. If the authorized UUID is different than the UUID which sends the request, PubNub will deny the request.
Even though it's PubNub that grants the token, you request that a token be granted using an SDK. However, not every SDK instance may request tokens from PubNub. To use the access manager, you must first enable it on the Admin Portal and initialize one of PubNub's SDK using a secretKey. Then, that SDK acts as an intermediary between the clients that request access (SDKs) and PubNub.
const pubnub = new PubNub({
subscribeKey: 'mySubscribeKey',
publishKey: 'myPublishKey',
uuid: 'myUniqueUUID',
secretKey: 'mySecretKey'
});
PNConfiguration pn_config = new PNConfiguration();
pn_config.setPublishKey("myPublishKey");
pn_config.setSubscribeKey("mySubscribeKey");
pn_config.setUUID("myUniqueUUID");
pn_config.setSecretKey("mySecretKey");
PubNub pubnub = new PubNub(pn_config);
PNConfiguration pnconfig = new PNConfiguration();
pnconfig.SubscribeKey = "mySubscribeKey";
pnconfig.PublishKey = "myPublishKey";
pnconfig.SecretKey = "mySecretKey";
pnconfig.Uuid = "myUniqueUuid";
Pubnub pubnub = new Pubnub(pnconfig);
pn_config = PNConfiguration()
pn_config.publish_key = "my_publish_key"
pn_config.subscribe_key = "my_subscribe_key"
pn_config.uuid = "my_unique_uuid"
pn_config.secret_key = "my_secret_key"
pubnub = PubNub(pn_config)
final myKeyset = Keyset(
subscribeKey: 'subscribeKey',
publishKey: 'publishKey',
secretKey: 'secretKey',
userId: UserId('yourUniqueUserId'));
var pubnub = PubNub(defaultKeyset: myKeyset);
val PNConfiguration(UserId("myUserId")).apply {
subscribeKey = "my_subkey"
publishKey = "my_pubkey"
secretKey = "my_secretkey"
secure = true
}
val pubnub = PubNub(pnConfiguration)
To issue a grant request, you must make a call from the client SDK, which is the client that wants to have access, to the server SDK, which is the intermediary between clients and PubNub.
The code below grants the thomas_anderson UUID read access to channel-a and read/write access to channel-b, channel-c, and uuid-d for 15 minutes.
pubnub.grantToken(
{
ttl: 15,
authorized_uuid: "thomas_anderson",
resources: {
channels: {
"channel-a": {
read: true
},
"channel-b": {
read: true,
write: true
},
"channel-c": {
read: true,
write: true
}
},
uuids: {
"uuid-d": {
get: true,
update: true
}
}
}
},
function (status, token) {
console.log(token)
});
pubnub.grantToken()
.ttl(15)
.authorizedUUID("thomas_anderson")
.channels(Arrays.asList(
ChannelGrant.name("channel-a").read(),
ChannelGrant.name("channel-b").read().write(),
ChannelGrant.name("channel-c").read().write(),
.uuids(Arrays.asList(
UUIDGrant.id("uuid-d").get().update()))
.async(new PNCallback<PNGrantTokenResult>() {
@Override
public void onResponse(@Nullable PNGrantTokenResult result, @NotNull PNStatus status) {
if (status.error()) {
// Handle error
}
else {
// Handle result
}
}
}).sync();
PNResult<PNAccessManagerTokenResult> grantTokenResponse = await pubnub.GrantToken()
.TTL(15)
.AuthorizedUuid("thomas_anderson")
.Resources(new PNTokenResources()
{
Channels = new Dictionary<string, PNTokenAuthValues>() {
{ "channel-a", new PNTokenAuthValues() { Read = true } },
{ "channel-b", new PNTokenAuthValues() { Read = true, Write = true } },
{ "channel-c", new PNTokenAuthValues() { Read = true, Write = true } },
Uuids = new Dictionary<string, PNTokenAuthValues>() {
{ "uuid-d", new PNTokenAuthValues() { Get = true, Update = true } }}
})
.ExecuteAsync();
PNAccessManagerTokenResult grantTokenResult = grantTokenResponse.Result;
PNStatus grantTokenStatus = grantTokenResponse.Status;
if (!grantTokenStatus.Error && grantTokenResult != null)
{
Console.WriteLine(pubnub.JsonPluggableLibrary.SerializeToJsonString(grantTokenResult));
}
else
{
Console.WriteLine(pubnub.JsonPluggableLibrary.SerializeToJsonString(grantTokenStatus));
}
channels = [
Channel.id("channel-a").read(),
Channel.id("channel-b").read().write(),
Channel.id("channel-c").read().write(),
]
uuids = [
UUID.id("uuid-d").get().update()
]
envelope = pubnub.grant_token()
.channels(channels)
.ttl(15)
.channel_groups(channel_groups)
.uuids(uuids)
.authorized_uuid("thomas_anderson")
.sync()
var request = pubnub.requestToken(
var request = pubnub.requestToken(ttl: 15, authorizedUUID: 'thomas_anderson')
..add(ResourceType.channel, name: 'channel-a', read: true)
..add(ResourceType.channel, name: 'channel-b', read: true, write: true)
..add(ResourceType.channel, name: 'channel-c', read: true, write: true)
..add(ResourceType.uuid, name: 'uuid-d', get: true, update: true);
var token = await pubnub.grantToken(request);
var token = await pubnub.grantToken(request);
pubnub.grantToken(
ttl = 15,
channels = listOf(
ChannelGrant.name(name = "channel-a", read = true),
ChannelGrant.name(name = "channel-b", read = true, write = true),
ChannelGrant.name(name = "channel-c", read = true, write = true),
),
uuids = listOf(
UUIDGrant.id(id = "uuid-d", get = true, update = true)
),
authorizedUUID = "thomas_anderson"
).async { result, status ->
if (status.error) {
// Handle error
} else {
// Handle result
}
}
When you grant permissions, you don't have to manually input every resource you want to grant or change access to. With a single call, you may grant access to multiple channels, channel groups, and UUID metadata using RegEx.
Certain operations, like joining/leaving a channel, or sending a message, among others, generate events sent throughout the PubNub network. Read on to learn how to intercept these events and trigger your own business logic without writing a single line of code.