Device Events Subscription Security?

mtun009 · March 17, 2017, 7:12am

I have a Photon publishing private event and I execute the the following code without logging into my account:

id eventListenerID = [[SparkCloud sharedInstance] subscribeToDeviceEventsWithPrefix:nil deviceID:@“xxxxxxxxx” handler:handler];

And I am getting the Private events from the Photon. It seems that anyone can with the device id can listen to the private events. Can someone clarify this?

kennethlimcp · March 17, 2017, 7:13am

I guess you have an accesstoken sitting somewhere…

mtun009 · March 17, 2017, 7:34am

@kennethlimcp,I am just running the mobile sdk example from here https://github.com/spark/spark-sdk-ios. Even after I call logout:

[[SparkCloud sharedInstance] logout];

It supposedly clear up access token, I am still getting the private device event stream.

kennethlimcp · March 17, 2017, 7:38am

@mtun009, i will get someone on the team to comment.

Before that happens, i will make this thread unlisted.

@ido @zachary @KyleG @will

Dave · March 17, 2017, 2:23pm

That’s like trying to hit these endpoints in an incognito window without an access_token (try it, it won’t work).

https://api.particle.io/v1/events
https://api.particle.io/v1/devices/events
https://api.particle.io/v1/devices/4e003f000c51343334363138/events

You probably have a cached cookie or something in your session? As the person who wrote this behavior in the Particle cloud, your user identity is a functional requirement in retrieving your private events, without it, your private events can’t exist. So I would be pretty surprised if you were getting your private events without being logged in. It shouldn’t matter what SDK this is happening in, the API simply doesn’t have enough information to get your private events without a live session, and it’s also restricted. But if you can send me a link to the particle api that lets me get private events without an access token, I’ll definitely gift you some Particle swag as a reward.

Thanks!
David

zachary · March 17, 2017, 3:45pm

Really appreciate you bringing this up @mtun009. As Dave mentioned, it’s definitely not a problem on the API side, however it’s possible there’s some unexpected caching behavior in the SDK. @ido would be the expert there — he’ll respond sometime today.

ido · March 17, 2017, 8:41pm

Trying to reproduce this behavior in a test app, will report back soon.

ido · March 17, 2017, 10:09pm

I am sorry I can’t seem to be able reproduce/see this behavior here…
Receiving the expected:
Error Domain=SparkAPIError Code=1008 "No active access token" UserInfo={NSLocalizedDescription=No active access token}
when trying to subscribe to device events.

Are you using latest version (0.6) of Cloud SDK?

mtun009 · March 18, 2017, 2:01am

@Ido, thanks for getting back to me. Let me make sure I got the 0.6 version.

Topic		Replies	Views
Publish and privacy inside organisations Cloud	3	1340	April 2, 2016
Particle SDK for Android Not Subscribing to Events Developer Tools	14	4638	April 13, 2017
Subscribe to Private "Event Names"? Troubleshooting	3	898	September 27, 2015
Private event seems didnt get to work in local cloud? Troubleshooting	16	4089	October 26, 2015
Constant eventsStream Troubleshooting	2	789	April 2, 2016

Device Events Subscription Security?

Related topics