N
Novu2mo ago
onestyle

User authorization for react component

I just came across novu and seems very helpful, I'm trying to integrate it with my nextjs app. I cannot figure out how to enable user authz, this seems pretty open and could easily leak other peoples' notifications if their id is known. Is there a way to add some sort of authz here? I'm intrested in using novu cloud. 
<NovuProvider subscriberId={'userid'} applicationIdentifier={'appid'}>
<NovuProvider subscriberId={'userid'} applicationIdentifier={'appid'}>
Solution:
Hey @onestyle check out this guide about React InApp, the section about HMAC is what you are looking for https://docs.novu.co/notification-center/client/react/get-started#hmac-encryption
Novu
React Get Started - Novu
Learn how to add novu powered In-App notification center to your React app
Jump to solution
6 Replies
Ask Inkeep
Ask Inkeep2mo ago
Hi @onestyle, I'm an AI assistant for Novu. While a team member reviews this question, I'll look through relevant sources and see if I can provide suggestions. Please tag @Ask Inkeep with any follow-up questions. ----------------------------- While I generate an answer, here are some sources that might be helpful: * Vue * Get active integrations * Node.js * Subscribers ----------------------------- Answer Integrating Novu with your Next.js app and ensuring secure authorization is crucial to protect user notifications. While the provided documents do not explicitly detail authorization mechanisms for Next.js, they offer insights into handling subscriber IDs which are essential for targeting notifications to specific users securely. One general approach to secure authorization involves using unique subscriberIds that represent individual users within your system. This ID should ideally come from your authentication system or database to ensure each user receives only their notifications. For instance, if you're using Auth0, you could use the Auth0 generated user ID as the subscriberId in Novu (1) . Additionally, it's important to consider security practices around handling subscriberIds. While specific authorization mechanisms (like JWT tokens or secure hashing) aren't detailed in the provided documents, ensuring that these IDs are securely stored and transmitted is essential. One approach, as discussed in a related context, involves hashing the subscriberId with additional information like a timestamp to increase security (2) . For integrating Novu with Next.js, while there's no direct mention of authorization, an example demonstrates integrating Novu with a React-based app, which Next.js also utilizes (3) . This example, along with practices for securely handling subscriberIds, could serve as a starting point for building a secure notification system within your Next.js application. In summary, use unique, securely handled subscriberIds from your authentication system for targeting notifications. While the documents don't provide a Next.js-specific authorization guide, employin
Ask Inkeep
Ask Inkeep2mo ago
g secure ID handling practices and reviewing available integration examples can help create a secure setup.
Sources [1] Best way to handle SubscriberID and Auth0? [2] [NV-2391] [Security] notification center security [3] [NV-1519] Feature: Next.js + Novu Integration Example
Ask Inkeep
Ask Inkeep2mo ago
Got it. Tagging @Support for additional help.
onestyle
onestyle2mo ago
User Id could be leak in some way or another, I don't think allowing anyone to openly request any users' notification without any kind of authz
Solution
Tomer Barnea
Tomer Barnea2mo ago
Hey @onestyle check out this guide about React InApp, the section about HMAC is what you are looking for https://docs.novu.co/notification-center/client/react/get-started#hmac-encryption
Novu
React Get Started - Novu
Learn how to add novu powered In-App notification center to your React app
Tomer Barnea
Tomer Barnea2mo ago
This will allow you to secure the request with the server, and thus solve issues with feed being leaked to someone who hold the subscriber (user) id.
Want results from more Discord servers?
Add your server
More Posts
Novu Unsubscribe Link in E-MailAs of german or european law, emails should have a unsubscribe link within an email. Is it currentlyUpdate Mongo DB on Docker ContainerI need to upgrade novu and i read that is mandatory run migrations. how can i run migrations over search logic in get push notifications request and read/unread statusHello! I use API for get only push notifications via `/notifications` endpoint and have few questionUnable to get activity feedI am unable to get activity feed using this curl, even though I am having like 21k feed data. curlheadless fetchNotifications() overfetches on multiple callsI'm using the headless library to power a component that has 2 states, all notifications and unread novu issue@all i use self hosting in ubuntu server but we hit the my domain url/auth/login we are getting corInvites and Disabled User RegistrationHey, we had disabled user account creation to prevent users to create new accounts and use our systIn-app notification issuesHello, currently, I'm implementing Novu In-App notifications in my core PHP project. I've integratedis it normal to have about 10min delay to update in-App integration?How to use Subscribers custom data inside html template using HandlebarsHi team, I trying to send emails with some dynamic data, I want to use Subscribers custom data insid