N
Novu4mo ago
Harinder

@novu/notification-center creates subscriber when it doesn't exist

Hi Team, I was experimenting with React @novu/notification-center and noticed that it creates a new subscriber if the provided subscriberId doesn't exist. While the Subscriber API is protected by an API key, it seems that a subscriber can be created simply by providing the applicationIdentifier. Is this the intended behaviour, seems like a security issue? ``` <NovuProvider subscriberId={'on-boarding-subscriber-id-xyz'} applicationIdentifier={<app-identifier>} > <PopoverNotificationCenter colorScheme={'light'}> {({ unseenCount }) => <NotificationBell unseenCount={unseenCount} />} </PopoverNotificationCenter> </NovuProvider>
10 Replies
Tomer Barnea
Tomer Barnea4mo ago
Hey @Harinder I'll tag @Pawan Jain to provide us an answer here, byt my 2 cents are, first of all i'd recommentd to use Inbox (https://docs.novu.co/inbox/react/get-started) which is the updated version of the notification center. Second, using HMAC (https://docs.novu.co/inbox/react/advanced-configuration#hmac-encryption) you can secure this to make sure application identifier is not the only authentication method. Also if I may ask, did you choose Notification Center over the Inbox knowingly, and if so, is there are reason for that?
Harinder
HarinderOP4mo ago
Thanks for your reply @Tomer Barnea , We have self-hosted Novu, but the Inbox components and their APIs are not available in the 0.24.0 release. I experimented with the Inbox components, and they are exactly what we need. However, since they are not yet released, I am currently exploring notification-center.
Tomer Barnea
Tomer Barnea4mo ago
Oh ok, if I may ask, is there a reason why you use self-hosted and not the cloud? also, follow up #v2 release date, we should follow up with a release date soon.
Harinder
HarinderOP4mo ago
its due to data security and company requirements
Pawan Jain
Pawan Jain4mo ago
@Harinder Did you get chance to check HMAC encryption? since api key is stored on server side, it will handle the security part
Harinder
HarinderOP4mo ago
Yes @Pawan Jain , seems like an option, thanks for quick replies 👍
Novu_Bot
Novu_Bot4mo ago
@Harinder, you just advanced to level 1!
Tomer Barnea
Tomer Barnea4mo ago
@Harinder what are the security concerns and requirements you are facing? Can you elaborate on that?
Harinder
HarinderOP4mo ago
@Tomer Barnea , The company policy is to host open-source products on our infrastructure. Additionally, this ensures that subscriber data remains in-house.
Tomer Barnea
Tomer Barnea4mo ago
Thanks @Harinder !
Want results from more Discord servers?
Add your server