Device Events Subscription Security?

I have a Photon publishing private event and I execute the the following code without logging into my account:

id eventListenerID = [[SparkCloud sharedInstance] subscribeToDeviceEventsWithPrefix:nil deviceID:@“xxxxxxxxx” handler:handler];

And I am getting the Private events from the Photon. It seems that anyone can with the device id can listen to the private events. Can someone clarify this?

I guess you have an accesstoken sitting somewhere…

@kennethlimcp,I am just running the mobile sdk example from here Even after I call logout:

[[SparkCloud sharedInstance] logout];

It supposedly clear up access token, I am still getting the private device event stream.

@mtun009, i will get someone on the team to comment.

Before that happens, i will make this thread unlisted.

@ido @zachary @KyleG @will

1 Like

That’s like trying to hit these endpoints in an incognito window without an access_token (try it, it won’t work).

You probably have a cached cookie or something in your session? As the person who wrote this behavior in the Particle cloud, your user identity is a functional requirement in retrieving your private events, without it, your private events can’t exist. So I would be pretty surprised if you were getting your private events without being logged in. It shouldn’t matter what SDK this is happening in, the API simply doesn’t have enough information to get your private events without a live session, and it’s also restricted. But if you can send me a link to the particle api that lets me get private events without an access token, I’ll definitely gift you some Particle swag as a reward.



Really appreciate you bringing this up @mtun009. As Dave mentioned, it’s definitely not a problem on the API side, however it’s possible there’s some unexpected caching behavior in the SDK. @ido would be the expert there — he’ll respond sometime today.

1 Like

Trying to reproduce this behavior in a test app, will report back soon.

1 Like

I am sorry I can’t seem to be able reproduce/see this behavior here…
Receiving the expected:
Error Domain=SparkAPIError Code=1008 "No active access token" UserInfo={NSLocalizedDescription=No active access token}
when trying to subscribe to device events.

Are you using latest version (0.6) of Cloud SDK?

1 Like

@Ido, thanks for getting back to me. Let me make sure I got the 0.6 version.

1 Like