@novu/notification-center creates subscriber when it doesn't exist
Hi Team, I was experimenting with React @novu/notification-center and noticed that it creates a new subscriber if the provided subscriberId doesn't exist. While the Subscriber API is protected by an API key, it seems that a subscriber can be created simply by providing the applicationIdentifier. Is this the intended behaviour, seems like a security issue?
```
<NovuProvider
subscriberId={'on-boarding-subscriber-id-xyz'}
applicationIdentifier={<app-identifier>}
>
<PopoverNotificationCenter colorScheme={'light'}>
{({ unseenCount }) => <NotificationBell unseenCount={unseenCount} />}
</PopoverNotificationCenter>
</NovuProvider>
10 Replies
Hey @Harinder I'll tag @Pawan Jain to provide us an answer here, byt my 2 cents are, first of all i'd recommentd to use Inbox (https://docs.novu.co/inbox/react/get-started) which is the updated version of the notification center. Second, using HMAC (https://docs.novu.co/inbox/react/advanced-configuration#hmac-encryption) you can secure this to make sure application identifier is not the only authentication method. Also if I may ask, did you choose Notification Center over the Inbox knowingly, and if so, is there are reason for that?
Thanks for your reply @Tomer Barnea , We have self-hosted Novu, but the Inbox components and their APIs are not available in the 0.24.0 release. I experimented with the Inbox components, and they are exactly what we need. However, since they are not yet released, I am currently exploring notification-center.
Oh ok, if I may ask, is there a reason why you use self-hosted and not the cloud? also, follow up #v2 release date, we should follow up with a release date soon.
its due to data security and company requirements
@Harinder
Did you get chance to check HMAC encryption? since api key is stored on server side, it will handle the security part
Yes @Pawan Jain , seems like an option, thanks for quick replies 👍
@Harinder, you just advanced to level 1!
@Harinder what are the security concerns and requirements you are facing? Can you elaborate on that?
@Tomer Barnea , The company policy is to host open-source products on our infrastructure. Additionally, this ensures that subscriber data remains in-house.
Thanks @Harinder !