I want to allow creating groups and listing users only in my backend.
A hacker could dump my entire user base (firstname/lastname) with this request:
https://api-xxx.sendbird.com/v3/users?token=&limit=20
It’s possible?
Thank’s you
Hello @magic and welcome to the Sendbird community,
Access to the platform API to list the users in your application would require a threat actor to have obtained your API token for your application and is the reason Sendbird strongly advises against using the Chat API in your client side applications.
You should use the corresponding client SDK, in this case the Javascript SDK, in your client application.
When utilizing the master API token of your application, you can generate a secondary API token via your Dashboard or through the Platform API. This would allow you to revoke any secondary API keys in the event they are exposed. Please see the following documentation on how to generate and utilize secondary API tokens: https://sendbird.com/docs/chat/v3/platform-api/prepare-to-use-api#2-authentication
In my front-end, I use react-ui kit.
Front-end : platform-api/js
I realise my operation inside my backend (room creation, add user to a room, access token retrieve when I create an user).
When I have the view on groupChannelList components, I have this problem :
My secondary API token is only present in my backend. I’m not using a core API token.
In my use case, anyone could create an account on my solution. So I want to avoid those possibilities.
It’s possible? Do you have sample source code for this type of case or a solution?
Thank’s for your help
Hello @magic,
It is not possible to hide the response body of the API call made by the SDK to list available users. If we masked this data, the data in your application would also be masked.
There is a security setting for your application to prevent users from logging into your application without a valid session or access token by setting access token permission to Deny Login under Settings → Security → Access Token Permission. This prevents users from logging into another user ID without the valid access or session token.
Hello @Ian ,
This query is an extension of the discussion with “magic”.
We are using session tokens which are issued in the backend. The frontend uses the JavaScript SDK.
My understanding is that the Javascript SDK still supports listing and discovery of all public group channels, and all the users in them.
We have our own method and design for managing which group channels are shown as available to which users. But due to the nature of our requirements, the group channels are created as public.
Can you provide an optional “switch” in the configuration, similar to this switch:
Deny Login under Settings → Security → Access Token Permission
Maybe “Deny Listing”.
If we configure our instance to “Deny Listing”, then client-side SDK functions which can be used to discover channels and users are disabled.
(e.g. GroupChannelListQuery - Documentation)
Thank you!
Simon
