I tried to find an answer for my question on Google but everywhere on internet I mostly find information about Private channels and Public channels on Laravel Event Broadcast.
In my recent project I used many private channels in Laravel. Today, I realized when a user submit a form using VUE JS Axios, all data will be received through private channel and it is clearly visible in any browsers developer tools.
Exactly like the image below, you see user's first name, surname, email address and all other sensitive data which is sent by Laravel Private channel and it is received through Pusher Private channel.
I am not sure if this kind of data will be protected by HTTPS layer later on live website, or not, but I feel I missed something in my codes to protect users' data!
Now my question is that can I restrict sent users' data from Back-end? Can I send ONLY necessary information and not all sensitive ones?
If my question is duplicated please help me to find the original question.
Also I attached piece of codes I used to broadcast events in Laravel and Pusher.
If anybody has any suggestion or advice about my concern, please comment or answer below. Thank you.
Laravel Broadcast Event Codes
class ContactRequests implements ShouldBroadcastNow
{
use Dispatchable, InteractsWithSockets, SerializesModels;
protected $receiver;
protected $sender;
public function __construct($receiver, $sender)
{
$this->receiver = $receiver;
$this->sender = $sender;
}
public function broadcastOn()
{
return new PrivateChannel('newContactRequest.'.$this->receiver->uid);
}
public function broadcastWith () {
return [
'ContactRequest' => $this->receiver,
'userAddable' => $this->receiver->checkAddable($this->sender),
'requestRejectable' => $this->receiver->checkRejectable($this->sender),
'requestAcceptable' => $this->receiver->checkAcceptable($this->sender),
'contactSpamMarkable' => $this->receiver->checkSpamMarkable($this->sender),
];
}
}
Channels.php codes
Broadcast::channel('newContactRequest.{id}', function ($user, $id) {
return $user->uid === $id;
});
Vue JS Pusher/Echo Codes
async catchContactRequests () {
await Echo.private(`newContactRequest.${this.userId}`)
.listen('ContactRequests', (response) => {
this.$store.dispatch('userAddableAction', response.userAddable)
this.$store.dispatch('requestRejectableAction', response.requestRejectable)
this.$store.dispatch('requestAcceptableAction', response.requestAcceptable)
this.$store.dispatch('markContactSpamAction', response.contactSpamMarkable)
})
}
