In an era where data is the new oil, ensuring communication security is paramount. As developers, it’s essential to be aware of the best practices to implement when working with communication platforms like QuickBlox, to ensure your data remains private and protected. This article aims to illustrate some vital tips and best practices for security while leveraging QuickBlox’s real-time chat and video calling SDK.
When you create an application on the QuickBlox dashboard, you’ll receive application credentials that you can use to connect your application with the QuickBlox servers.
It’s critical that you do not expose your app credentials by any means.
A common mistake that developers often make is that they store these tokens on their client side applications, but this exposes them to security breaches. For security best practice, credentials MUST be stored on the server side.
Let’s take a look at both these approaches:
Note: Although this article only includes snippets for Web, we have attached appropriate links for the other platforms.
It’s critical that you store credentials and manage authentication on the server side, and that you initialize the client application with the session token. This is the QuickBlox recommended way.
We do not recommend using the client end for storing application credentials or managing authentication, as the client application can be compromised by reverse engineering or decompiling the application.
Let’s see how to implement this:
Make sure to store this API key securely on your server
import axios from 'axios'; const options = { method: 'POST', url: 'https://api.quickblox.com/users.json', headers: { accept: 'application/json', Authorization: 'ApiKey {your_api_key}', 'content-type': 'application/json' }, data: {user: {login: 'USER_LOGIN', email: 'USER_EMAIL', password: 'USER_PASSWORD'}} }; axios .request(options) .then(function (response) { console.log(response.data); }) .catch(function (error) { console.error(error); });
import axios from 'axios'; const options = { method: 'POST', url: 'https://api.quickblox.com/users/user_id/tokens', headers: {accept: 'application/json', Authorization: 'ApiKey {your_api_key}'} }; axios .request(options) .then(function (response) { console.log(response.data); }) .catch(function (error) { console.error(error); });
Now that you have the application credentials stored safely on our backend, you can initialize the frontend SDK with just the APP ID and Account Key (it’s safe to store them on the client side).
Let’s see how you can do that:
var appId = YOUR_APP_ID; var accountKey = YOUR ACCOUNT KEY; var config = { debug: false }; QB.initWithAppId(appId, accountKey, config);
To initialize the SDK with the App ID and Account key on other platforms, please see the relevant guide below:
Android: https://docs.quickblox.com/docs/android-setup#initialize-quickblox-sdk-without-authorization-key-and-secret
IOS: https://docs.quickblox.com/docs/ios-setup#initialize-quickblox-sdk-without-authorization-key-and-secret
Web: https://docs.quickblox.com/docs/js-setup#initialize-quickblox-sdk-without-authorization-key-and-secret
React Native: https://docs.quickblox.com/docs/react-native-setup#initialize-quickblox-sdk-without-authorization-key-and-secret
Flutter: https://docs.quickblox.com/docs/flutter-setup#initialize-quickblox-sdk-without-authorization-key-and-secret
Once you initialize the SDK, you need to start the user session with the token that you received from our backend. This token will then be used by the API calls made by the SDK.
Make sure that you are on the latest version of the respective platform SDK that you are using, since this method was introduced in newer versions of the SDK.
QB.startSessionWithToken(sessionToken, function(err, mySession){ if (err){ console.log('Error in start session with token'); } else { console.log('session data: ', mySession); } });
To set the session into the SDK on other platforms, see the relevant guide below:
Android: https://docs.quickblox.com/docs/android-authentication#set-existing-session
IOS: https://docs.quickblox.com/docs/ios-authentication#set-existing-session
Web: https://docs.quickblox.com/docs/js-authentication#set-existing-session
React Native: https://docs.quickblox.com/docs/react-native-authentication#set-existing-session
Flutter: https://docs.quickblox.com/docs/flutter-authentication#set-existing-session
Voila! It’s done. Now you have a strong security flow implemented.
You may want to use this approach when you want to build MVPs, POCs, demos or for your side projects.
//App Credentials. var APPLICATION_ID = YOUR_APP_ID; var AUTH_KEY = YOUR_AUTH_KEY; //Need to treat and store this in a secure manner var AUTH_SECRET = YOUR_AUTH_SECRET; var ACCOUNT_KEY = YOUR_ACCOUNT_KEY; var CONFIG = { debug: true }; //Initialize the SDK QB.init(APPLICATION_ID, AUTH_KEY, AUTH_SECRET, ACCOUNT_KEY, CONFIG);
To initialize the QuickBlox SDK on other platforms, see the relevant guide below:
Android: https://docs.quickblox.com/docs/android-quick-start#initialize-quickblox-sdk
IOS: https://docs.quickblox.com/docs/ios-quick-start#initialize-quickblox-sdk
Web: https://docs.quickblox.com/docs/js-quick-start#initialize-quickblox-sdk
React Native: https://docs.quickblox.com/docs/react-native-quick-start#initialize-quickblox-sdk
Flutter: https://docs.quickblox.com/docs/flutter-quick-start#initialize-quickblox-sdk
Before you log in a user, you must create the user on the QuickBlox dashboard
To create a user on QuickBlox, you can use the below function.
//Create an application session. QB.createSession(function(error, result) { // callback function }); var params = { login: login, password: "password", full_name: "Full name" }; QB.users.create(params, function(error, result) { if (error) { done.fail("Create user error: " + JSON.stringify(error)); } else { } });
Once the user is created, you can now login using the credentials.
To register the user on other platforms, see relevant guide below:
Android: https://docs.quickblox.com/docs/android-authentication#sign-up-user
IOS: https://docs.quickblox.com/docs/ios-authentication#sign-up-user
Web: https://docs.quickblox.com/docs/js-authentication#sign-up-user
React Native: https://docs.quickblox.com/docs/react-native-authentication#sign-up-user
Flutter: https://docs.quickblox.com/docs/flutter-authentication#sign-up-user
var params = { login: "login", password: "password" }; // or through email // var params = {email: 'login@login.com', password: 'password'}; QB.login(params, function(error, result) { // callback function });
Remember, however, that there is a problem with this approach.
The application credentials can be compromised, because no matter if you store them in plain text, inside .env files, or encrypt/obfuscate it, you cannot guarantee 100% security.
If these credentials are compromised, it’s easy for the attacker to get access to your database and other services.
To login the user on other platforms, see the relevant guide below:
Android: https://docs.quickblox.com/docs/android-authentication#log-in-user
IOS: https://docs.quickblox.com/docs/ios-authentication#log-in-user
Web: https://docs.quickblox.com/docs/js-authentication#log-in-user
React Native: https://docs.quickblox.com/docs/react-native-authentication#log-in-user
Flutter: https://docs.quickblox.com/docs/flutter-authentication#log-in-user
In addition to the 2 methods for managing credentials and authentication outlined above, there is one other method that can be used with Custom Identity Provider (CIdP). This method is especially useful when you have an existing user base and you want to integrate it with QuickBlox.
QuickBlox CIdP allows you to delegate authentication to an external service. In this case, user credentials and password management are handled by Identity Provider (IdP).
When CIdP is enabled and configured, users can log in to QuickBlox API with a token generated by a service external to QuickBlox.
Let’s take a look at how CIdP works:
Application: web or mobile application that integrates QuickBlox.
Identity provider (IdP): service that authenticates and verifies user credentials. The service is external to QuickBlox.
IdP_user_ID: user ID in external service.
IdP_token: access token to external service.
Note: This is an Enterprise feature, but can be enabled on a QuickBlox Shared Cloud account as well, by request.
Now that you have secure authentication in place, you might also want to configure the permissions for your tokens. Using these permissions you can control what can be accessed using an application session token and the user session token.
To access these settings:
Read more about setting permissions here.
QuickBlox is committed to providing secure communication for its customers. By adhering to the best practices outlined in this article, you can safeguard sensitive data, protect user privacy, and prevent unauthorized access to your application’s communication channels.