Playing
09. Defining and authorising private channels

Transcript

00:00
So far, we've only looked at public channels, which means anyone, even users that don't use
00:06
our application can connect to them channels. In this section, we're going to look at an example where we connect to the user's channel, which will only deliver notifications to that user. And only that user will be able to connect to that channel. And you can use this to create any channels for any model type that you need to be private. Okay. So I've created out a fresh
00:29
application here so we can focus on everything that we're doing. Let's go over to our channels root file and take a look at this channel here. We're not going to create a new channel. We're going to use what's already here to find out what is going on. Okay. So by default, Laravel includes this private channel. Let's just have a look at what is going on here. So this is the name of
00:51
the channel, which we're going to switch up. And it includes this placeholder just inside of here. So inside of here, we'll always get the user who is trying to connect to this private channel, and we'll also get any of the parameters that are passed into the channel name. We'll take a look at another example in a minute without implementing it, but this is the kind of thing that we're
01:15
dealing with. Now I'm actually going to change the channel name over to users.id. I much prefer just a cleaner rather than referencing the actual model. And let's just go ahead and pull in the namespace for that user. Okay. So effectively, when we connect to this channel, we're going to replace out this ID with the ID of the user who is trying to connect to the channel. We'll get
01:36
the currently authenticated user through and we'll make sure that the ID of the user matches what we have passed in here. And you can see it's cast to an int. So these get compared properly. Okay. Let's go ahead and try to connect to this channel and see what happens. So we're going to head over to our dashboard. So let's go back over to our dashboard and we'll just do exactly the same
01:58
thing again. Just write some raw JavaScript out in here. So let's use echo to go ahead and connect to a channel. Now we don't want to use channel. That's what we did before when we joined a public channel. Instead, we want to use the private method to signify to echo that we need to connect to a private channel. And we'll see what happens behind the scenes with a network request when we do this.
02:21
So let's go ahead and connect to users.one and just see what happens. So let's head over to the browser, open up our console, and let's take a look at what is going on here. Okay. So I've given the page a refresh and everything looks like it's good. Before we dive into the network request, let's go ahead and try and connect to users.two, which isn't the ID that I've registered with.
02:44
We give that a refresh. You can see we get a 403 forbidden. So what echo is doing now that we're using the private method to connect to a channel is it's sending a request to this endpoint within our Laravel application. What this endpoint will do is map this up to the channel that we're trying to connect to over in channels. It will run this closure. And obviously if we return false here,
03:10
it's going to unauthorize it. So let's go ahead and look at that network request in more detail when we go ahead and actually provide the correct ID. And then we'll go ahead and start to broadcast to this private channel. Okay. So there we go. There's our successful auth request. We can see that all of that was okay. Now you might be wondering, well, what's the point in defining
03:31
out this kind of channel when we're just returning a single true or false value? Well, with this, we can add in some logic to check if we're allowed to access this channel or not. Let's take the example just really quickly of creating out a chat room interface. So let's say that we had a chat room with a specific ID. We'd still get the user passed in, but this would now be the room
03:58
ID. So let's call that room ID just so it makes a bit more sense. Now what you can do inside of here, and this is all in the Laravel documentation, if you want to go ahead and reference it, is create out an if statement to explicitly stop the user accessing a room if they can't access it. So once you implement roles and permissions or any kind of logic in your application
04:23
to allow a user into a room or to perform a certain action, you can just define all of this out in here. So the example from the Laravel documentation is something like this. We would say something like user, which we now have, can access room, and then we could pass in the room ID. So if they can't access that room, then we want to return false. Otherwise, we want to return
04:48
true. So it's kind of like just a standard authorization, but now within a channel's route. So that's the kind of thing that we want to do. We're not going to implement just that just yet because we have other courses that cover that, but for now we know that only this specific user can connect to this channel. Now before we go, how do we actually pass this in? Well, it's
05:10
entirely up to you however you're building your application. Because we're just working within a blade file here, all we really need to do here is just output the currently authenticated user's ID. So now that will be directly passed into here, it will authorize it, and of course we can now connect. If someone was to go in and try and change this value or manually try and connect to this private
05:32
channel using a different ID, it wouldn't allow them in because over in channels we're performing this here. Okay, so hopefully that makes sense with private channels. Let's go over to the next couple of episodes and build out something a little bit more useful where we can dispatch to these private channels.

Episode summary

In this episode, we move beyond just using public channels—where anyone can connect—and dive into creating private channels using Laravel. Private channels are awesome when you need to send notifications to only a specific user, and make sure no one else can tap into those messages.

We start by looking at the default setup in the Laravel channels.php file, tweaking the private channel for users so that only the authenticated user with the correct ID can connect. We explain how Laravel authorizes these connections behind the scenes, showing you that, if the user tries to connect to a channel that doesn't belong to them, they'll get a 403 Forbidden error.

We then experiment by connecting to different user channels using raw JavaScript with Laravel Echo, and you get to see in real-time how the authorization works with network requests. You’ll see that adding logic to these channel authorization callbacks means you can control access to things like chat rooms, not just user notification channels. If you ever need to implement more complex rules (like roles or permissions), you now know where that logic would live!

To wrap up, we run through the practical bits—how to dynamically output the current user's ID into your frontend code, so you can connect to the right private channel. We close by setting the stage for the next episodes, where we'll put these private channels to use and start broadcasting some actual events to them!

Episode discussion

No comments, yet. Be the first!