jnugh
NNovu
•Created by jnugh on 1/29/2024 in #💬│support
How to prevent HMAC replay in Websockets
Hi there. I'm currently looking into novu and tried to find out more details on how authentication works.
I was able to some information on HMAC in the documentation: https://docs.novu.co/notification-center/client/headless/get-started#hmac-encryption. As far as I understand one would use a backend service that is able to check the authentication status of a user to generate an HMAC which uses an API key from novu as a secret. As far as I understand this HMAC would be static for any given subscriber id as long as the API key is not being rotated.
I don't really understand the benefits of using HMAC in this scenario, other than making it harder (/impossible) to guess the credentials which would also be the case e.g. using uuid subscriber ids. If someone is able to access the subscriber id and HMAC he will be able to connect.
Is there any replay prevention available? For example using a timestamp? Is there any other method to authenticate a subscriber?
4 replies