Authorization | Socket Conveyor

Authorization depends on the protocol mode. Native Conveyor mode uses Conveyor tokens. Pusher protocol mode uses Laravel's normal broadcasting authorization.

Native server token

Set Constants::WEBSOCKET_SERVER_TOKEN when starting the server:

1<?php
2
3use Conveyor\Constants;
4use Conveyor\ConveyorServer;
5
6require __DIR__ . '/vendor/autoload.php';
7
8(new ConveyorServer())
9    ->port(8989)
10    ->conveyorOptions([
11        Constants::WEBSOCKET_SERVER_TOKEN => 'local-server-token',
12    ])
13    ->start();

Native clients must include the token during the WebSocket handshake:

1ws://127.0.0.1:8989?token=local-server-token

fanout-action also requires auth with the server token.

Native temporary channel tokens

Create a temporary token for one channel:

1curl -X POST "http://127.0.0.1:8989/conveyor/auth?token=local-server-token" \
2  -H "Content-Type: application/json" \
3  -d '{"channel":"orders.1"}'

Response:

1{
2  "auth": "temporary-token"
3}

Use that value in channel-connect:

1{
2  "action": "channel-connect",
3  "channel": "orders.1",
4  "auth": "temporary-token"
5}

Temporary channel tokens are consumed after use.

Laravel Echo authorization

In Pusher protocol mode (see Pusher Protocol), Conveyor validates Pusher channel signatures, but Laravel still owns user authorization.

Public channels need no auth:

1window.Echo.channel('orders')

Private channels call Laravel's /broadcasting/auth:

1window.Echo.private('orders.1')

Presence channels also call Laravel's /broadcasting/auth and require you to return identifying user data (not just a boolean).

See Presence for the full presence API with Echo (here, joining, leaving, whispers) plus authorization examples.

Configure Echo so the WebSocket host points at Conveyor, while authEndpoint points at the Laravel HTTP app:

1window.Echo = new Echo({
2  broadcaster: 'reverb',
3  key: import.meta.env.VITE_REVERB_APP_KEY,
4  wsHost: import.meta.env.VITE_REVERB_HOST,
5  wsPort: import.meta.env.VITE_REVERB_PORT,
6  wssPort: import.meta.env.VITE_REVERB_PORT,
7  forceTLS: import.meta.env.VITE_REVERB_SCHEME === 'https',
8  enabledTransports: ['ws', 'wss'],
9  authEndpoint: `${import.meta.env.VITE_LARAVEL_URL}/broadcasting/auth`,
10  auth: {
11    withCredentials: true,
12  },
13})

Your channel callbacks stay in Laravel:

1use Illuminate\Support\Facades\Broadcast;
2
3Broadcast::channel('orders.{orderId}', function ($user, int $orderId) {
4    return true;
5});
6
7Broadcast::channel('room.{roomId}', function ($user, int $roomId) {
8    return [
9        'id' => $user->id,
10        'name' => $user->name,
11    ];
12});

If the browser posts to a frontend dev server such as http://localhost:8081/broadcasting/auth, the client is pointed at the wrong app. The auth request must reach Laravel.