Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Pusher Channels JavaScript library for browsers, React Native, NodeJS and web workers
The pusher-js npm package is a JavaScript library for integrating real-time functionality into web and mobile applications. It allows developers to subscribe to channels and bind to events to receive real-time updates, making it ideal for applications that require live data feeds, notifications, and interactive features.
Real-time Event Subscription
This feature allows you to subscribe to a channel and bind to specific events to receive real-time updates. The code sample demonstrates how to initialize Pusher, subscribe to a channel, and bind to an event to log received data.
const Pusher = require('pusher-js');
const pusher = new Pusher('YOUR_APP_KEY', {
cluster: 'YOUR_APP_CLUSTER'
});
const channel = pusher.subscribe('my-channel');
channel.bind('my-event', function(data) {
console.log('Received data:', data);
});
Presence Channels
Presence channels build on the functionality of public channels by allowing you to keep track of who is subscribed to the channel. The code sample shows how to subscribe to a presence channel and bind to events for when members are added or removed.
const Pusher = require('pusher-js');
const pusher = new Pusher('YOUR_APP_KEY', {
cluster: 'YOUR_APP_CLUSTER'
});
const presenceChannel = pusher.subscribe('presence-my-channel');
presenceChannel.bind('pusher:subscription_succeeded', function(members) {
console.log('Members:', members);
});
presenceChannel.bind('pusher:member_added', function(member) {
console.log('Member added:', member);
});
presenceChannel.bind('pusher:member_removed', function(member) {
console.log('Member removed:', member);
});
Private Channels
Private channels provide an extra layer of security by requiring authentication before subscribing. The code sample demonstrates how to subscribe to a private channel and bind to an event to log received data.
const Pusher = require('pusher-js');
const pusher = new Pusher('YOUR_APP_KEY', {
cluster: 'YOUR_APP_CLUSTER',
authEndpoint: '/pusher/auth'
});
const privateChannel = pusher.subscribe('private-my-channel');
privateChannel.bind('my-event', function(data) {
console.log('Received data:', data);
});
Socket.IO is a popular library for real-time web applications. It enables real-time, bidirectional, and event-based communication between web clients and servers. Unlike pusher-js, which is a hosted service, Socket.IO can be self-hosted, giving developers more control over their infrastructure.
Ably is a real-time messaging service that offers pub/sub messaging, presence, and push notifications. It provides similar functionalities to pusher-js but also includes additional features like message history and token-based authentication. Ably is known for its reliability and extensive feature set.
PubNub is a real-time communication platform that offers a wide range of features including pub/sub messaging, presence, and mobile push notifications. It is similar to pusher-js in terms of real-time capabilities but also provides additional features like data stream storage and serverless functions.
This Pusher Channels client library supports web browsers, web workers, Node.js and React Native.
If you're looking for the Pusher Channels server library for Node.js, use pusher-http-node instead.
For tutorials and more in-depth information about Pusher Channels, visit our official docs.
The following topics are covered:
Web
We test against Chrome, Firefox and Safari.
Works with all major web frameworks, including
If you're using Pusher Channels on a web page, you can install the library via:
The encryption primitives required to power encrypted channels increase the bundle size quite significantly. In order to keep bundle sizes down, the default web and worker builds of pusher-js no longer support encrypted channels.
If you'd like to make use of encrypted-channels, you need to import the
with-encryption
builds as described below.
You can use any NPM-compatible package manager, including NPM itself and Yarn.
yarn add pusher-js
Then:
import Pusher from 'pusher-js';
If you'd like to use encrypted channels:
import Pusher from 'pusher-js/with-encryption';
Or, if you're not using ES6 modules:
const Pusher = require('pusher-js');
If you'd like to use encrypted channels:
const Pusher = require('pusher-js/with-encryption');
<script src="https://js.pusher.com/7.0/pusher.min.js"></script>
If you'd like to use encrypted channels:
<script src="https://js.pusher.com/7.0/pusher-with-encryption.min.js"></script>
You can also use cdnjs.com if you prefer or as a fallback.
Or via Bower:
bower install pusher
and then:
<script src="bower_components/pusher/dist/web/pusher.min.js"></script>
We've provided typescript declarations since v5.1.0. Most things should work out of the box but if you need access to specific types you can import them like so:
import Pusher from 'pusher-js';
import * as PusherTypes from 'pusher-js';
var presenceChannel: PusherTypes.PresenceChannel;
...
Warning it's now necessary to install @react-native-community/netinfo in order to use pusher-js with react-native. pusher-js depends on NetInfo. NetInfo. NetInfo was included within react-native core until v0.60, when it was moved to the @react-native-community/netinfo library. Please follow the install instructions for the @react-native-community/netinfo library before trying to use pusher-js in your react-native project.
Use a package manager like Yarn or NPM to install pusher-js
and then import
it as follows:
import Pusher from 'pusher-js/react-native';
Notes:
(pusher-js
's Web Workers implementation is currently not compatible with Internet Explorer)
You can import the worker script (pusher.worker.js
, not pusher.js
) from the CDN:
importScripts('https://js.pusher.com/7.0/pusher.worker.min.js');
If you'd like to use encrypted channels:
importScripts('https://js.pusher.com/7.0/pusher-with-encryption.worker.min.js');
If you're building your worker with a bundler, you can import the worker entrypoint
import Pusher from 'pusher-js/worker'
If you'd like to use encrypted channels:
import Pusher from 'pusher-js/worker/with-encryption'
Having installed pusher-js
via an NPM-compatible package manager, run:
import Pusher from 'pusher-js';
Notes:
WebWorkers
, this build will use HTTP as a fallback.ServiceWorkers
, as the XMLHttpRequest
API is unavailable, there is currently no support for HTTP fallbacks. However, we are open to requests for fallbacks using fetch
if there is demand.const pusher = new Pusher(APP_KEY, {
cluster: APP_CLUSTER,
});
You can get your APP_KEY
and APP_CLUSTER
from the Pusher Channels dashboard.
There are a number of configuration parameters which can be set for the client, which can be passed as an object to the Pusher constructor, i.e.:
const pusher = new Pusher(APP_KEY, {
cluster: APP_CLUSTER,
authEndpoint: 'http://example.com/pusher/auth'
});
For most users, there is little need to change these. See client API guide for more details.
forceTLS
(Boolean)Forces the connection to use TLS. When set to false
the library will attempt non-TLS connections first. Defaults to true
.
userAuthentication
(Object)Object containing the configuration for user authentication. Valid keys are:
endpoint
(String) - Endpoint on your server that will return the authentication signature needed for signing the user in. Defaults to /pusher/user-auth
.
transport
(String) - Defines how the authentication endpoint will be called. There are two options available:
ajax
- the default option where an XMLHttpRequest
object will be used to make a request. The parameters will be passed as POST
parameters.jsonp
- The authentication endpoint will be called by a <script>
tag being dynamically created pointing to the endpoint defined by userAuthentication.endpoint
. This can be used when the authentication endpoint is on a different domain to the web application. The endpoint will therefore be requested as a GET
and parameters passed in the query string.params
(Object) - Additional parameters to be sent when the user authentication endpoint is called. When using ajax authentication the parameters are passed as additional POST parameters. When using jsonp authentication the parameters are passed as GET parameters. This can be useful with web application frameworks that guard against CSRF (Cross-site request forgery).
headers
(Object) - Only applied when using ajax
as authentication transport. Provides the ability to pass additional HTTP Headers to the user authentication endpoint. This can be useful with some web application frameworks that guard against CSRF CSRF (Cross-site request forgery).
customHandler
(Function) - When present, this function is called instead of a request being made to the endpoint specified by userAuthentication.endpoint
.
For more information see authenticating users.
channelAuthorization
(Object)Object containing the configuration for user authorization. Valid keys are:
endpoint
(String) - Endpoint on your server that will return the authorization signature needed for private and presence channels. Defaults to /pusher/user-auth
.
transport
(String) - Defines how the authorization endpoint will be called. There are two options available:
ajax
- the default option where an XMLHttpRequest
object will be used to make a request. The parameters will be passed as POST
parameters.jsonp
- The authorization endpoint will be called by a <script>
tag being dynamically created pointing to the endpoint defined by channelAuthorization.endpoint
. This can be used when the authorization endpoint is on a different domain to the web application. The endpoint will therefore be requested as a GET
and parameters passed in the query string.params
(Object) - Additional parameters to be sent when the channel authorization endpoint is called. When using ajax authorization the parameters are passed as additional POST parameters. When using jsonp authorization the parameters are passed as GET parameters. This can be useful with web application frameworks that guard against CSRF (Cross-site request forgery).
headers
(Object) - Only applied when using ajax
as authorizing transport. Provides the ability to pass additional HTTP Headers to the user authorization endpoint. This can be useful with some web application frameworks that guard against CSRF CSRF (Cross-site request forgery).
customHandler
(Function) - When present, this function is called instead of a request being made to the endpoint specified by channelAuthorization.endpoint
.
For more information see authorizing users.
cluster
(String)Specifies the cluster that pusher-js should connect to. If you'd like to see a full list of our clusters, click here. If you do not specify a cluster, mt1
will be used by default.
const pusher = new Pusher(APP_KEY, {
cluster: APP_CLUSTER,
});
disableStats
(deprecated) (Boolean)Disables stats collection, so that connection metrics are not submitted to Pusher’s servers. These stats are used for internal monitoring only and they do not affect the account stats. This option is deprecated since stats collection is now disabled by default
enableStats
(Boolean)Enables stats collection, so that connection metrics are submitted to Pusher’s servers. These stats can help pusher engineers debug connection issues.
enabledTransports
(Array)Specifies which transports should be used by pusher-js to establish a connection. Useful for applications running in controlled, well-behaving environments. Available transports for web: ws
, wss
, xhr_streaming
, xhr_polling
, sockjs
. If you specify your transports in this way, you may miss out on new transports we add in the future.
// Only use WebSockets
const pusher = new Pusher(APP_KEY, {
cluster: APP_CLUSTER,
enabledTransports: ['ws']
});
Note: if you intend to use secure websockets, or wss
, you can not simply specify wss
in enabledTransports
, you must specify ws
in enabledTransports
as well as set the forceTLS
option to true
.
// Only use secure WebSockets
const pusher = new Pusher(APP_KEY, {
cluster: APP_CLUSTER,
enabledTransports: ['ws'],
forceTLS: true
});
disabledTransports
(Array)Specifies which transports must not be used by pusher-js to establish a connection. This settings overwrites transports whitelisted via the enabledTransports
options. Available transports for web: ws
, wss
, xhr_streaming
, xhr_polling
, sockjs
. This is a whitelist, so any new transports we introduce in the future will be used until you explicitly add them to this list.
// Use all transports except for sockjs
const pusher = new Pusher(APP_KEY, {
cluster: APP_CLUSTER,
disabledTransports: ['sockjs']
});
// Only use WebSockets
const pusher = new Pusher(APP_KEY, {
cluster: APP_CLUSTER,
enabledTransports: ['ws', 'xhr_streaming'],
disabledTransports: ['xhr_streaming']
});
wsHost
, wsPort
, wssPort
, httpHost
, httpPort
, httpsPort
These can be changed to point to alternative Pusher Channels URLs (used internally for our staging server).
wsPath
Useful in special scenarios if you're using the library against an endpoint you control yourself. This is used internally for testing.
ignoreNullOrigin
(Boolean)Ignores null origin checks for HTTP fallbacks. Use with care, it should be disabled only if necessary (i.e. PhoneGap).
activityTimeout
(Integer)If there is no activity for this length of time (in milliseconds), the client will ping the server to check if the connection is still working. The default value is set by the server. Setting this value to be too low will result in unnecessary traffic.
pongTimeout
(Integer)Time before the connection is terminated after a ping is sent to the server. Default is 30000 (30s). Low values will cause false disconnections, if latency is high.
Pusher.logToConsole
(Boolean)Enables logging to the browser console via calls to console.log
.
Pusher.log
(Function)Assign a custom log handler for the pusher-js library logging. For example:
Pusher.log = (msg) => {
console.log(msg);
};
By setting the log
property you also override the use of Pusher.enableLogging
.
A connection to Pusher Channels is established by providing your APP_KEY
and APP_CLUSTER
to the constructor function:
const pusher = new Pusher(APP_KEY, {
cluster: APP_CLUSTER,
});
This returns a pusher object which can then be used to subscribe to channels.
One reason this connection might fail is your account being over its' limits. You can detect this in the client by binding to the error
event on the pusher.connection
object. For example:
const pusher = new Pusher('app_key');
pusher.connection.bind( 'error', function( err ) {
if( err.error.data.code === 4004 ) {
log('Over limit!');
}
});
You may disconnect again by invoking the disconnect
method:
pusher.disconnect();
The connection can be in any one of these states.
State | Note |
---|---|
initialized | Initial state. No event is emitted in this state. |
connecting | All dependencies have been loaded and Channels is trying to connect. The connection will also enter this state when it is trying to reconnect after a connection failure. |
connected | The connection to Channels is open and authenticated with your app. |
unavailable | The connection is temporarily unavailable. In most cases this means that there is no internet connection. It could also mean that Channels is down |
failed | Channels is not supported by the browser. This implies that WebSockets are not natively available and an HTTP-based transport could not be found. |
disconnected | The Channels connection was previously connected and has now intentionally been closed. |
Making a connection provides the client with a new socket_id
that is assigned by the server. This can be used to distinguish the client's own events. A change of state might otherwise be duplicated in the client. More information on this pattern is available here.
It is also stored within the socket, and used as a token for generating signatures for private channels.
The default method for subscribing to a channel involves invoking the subscribe
method of your pusher object:
const channel = pusher.subscribe('my-channel');
This returns a Channel object which events can be bound to.
Private channels are created in exactly the same way as normal channels, except that they reside in the 'private-' namespace. This means prefixing the channel name:
const channel = pusher.subscribe('private-my-channel');
Like private channels, encrypted channels have their own namespace, 'private-encrypted-'. For more information about encrypted channels, please see the docs.
const channel = pusher.subscribe('private-encrypted-my-channel');
It is possible to access channels by name, through the channel
function:
const channel = pusher.channel('private-my-channel');
It is possible to access all subscribed channels through the allChannels
function:
pusher.allChannels().forEach(channel => console.log(channel.name));
Private, presence and encrypted channels will make a request to your authEndpoint
(/pusher/auth
) by default, where you will have to authenticate the subscription. You will have to send back the correct auth response and a 200 status code.
To unsubscribe from a channel, invoke the unsubscribe
method of your pusher object:
pusher.unsubscribe('my-channel');
Unsubscribing from private channels is done in exactly the same way, just with the additional private-
prefix:
pusher.unsubscribe('private-my-channel');
Event binding takes a very similar form to the way events are handled in jQuery. You can use the following methods either on a channel object, to bind to events on a particular channel; or on the pusher object, to bind to events on all subscribed channels simultaneously.
bind
and unbind
Binding to "new-message" on channel: The following logs message data to the console when "new-message" is received
channel.bind('new-message', function (data) {
console.log(data.message);
});
We can also provide the this
value when calling a handler as a third optional parameter. The following logs "hi Pusher" when "my-event" is fired.
channel.bind('my-event', function () {
console.log(`hi ${this.name}`);
}, { name: 'Pusher' });
For client-events on presence channels, bound callbacks will be called with an additional argument. This argument is an object containing the user_id
of the user who triggered the event
presenceChannel.bind('client-message', function (data, metadata) {
console.log('received data from', metadata.user_id, ':', data);
});
Unsubscribe behaviour varies depending on which parameters you provide it with. For example:
// Remove just `handler` for the `new-comment` event
channel.unbind('new-comment', handler);
// Remove all handlers for the `new-comment` event
channel.unbind('new-comment');
// Remove `handler` for all events
channel.unbind(null, handler);
// Remove all handlers for `context`
channel.unbind(null, null, context);
// Remove all handlers on `channel`
channel.unbind();
bind_global
and unbind_global
bind_global
and unbind_global
work much like bind
and unbind
, but instead of only firing callbacks on a specific event, they fire callbacks on any event, and provide that event along to the handler along with the event data. For example:
channel.bind_global(function (event, data) {
console.log(`The event ${event} was triggered with data ${data}`);
})
unbind_global
works similarly to unbind
.
// remove just `handler` from global bindings
channel.unbind_global(handler);
// remove all global bindings
channel.unbind_global();
unbind_all
The unbind_all
method is equivalent to calling unbind()
and unbind_global()
together; it removes all bindings, global and event specific.
It's possible to trigger client events using the trigger
method on an instance of the Channel
class.
A few gotchas to consider when using client events:
https://dashboard.pusher.com/apps/$YOUR_APP_ID/settings
client-
channel.trigger('client-my-event', {message: 'Hello, world!'})
Currently, pusher-js itself does not support authenticating multiple channels in one HTTP request. However, thanks to @dirkbonhomme you can use the pusher-js-auth plugin that buffers subscription requests and sends auth requests to your endpoint in batches.
There are a number of events which are used internally, but can also be of use elsewhere, for instance subscribe
. There is also a state_change
event - which fires whenever there is a state change. You can use it like this:
pusher.connection.bind('state_change', function(states) {
// states = {previous: 'oldState', current: 'newState'}
$('div#status').text("Channels current state is " + states.current);
});
To listen for when you connect to Pusher Channels:
pusher.connection.bind('connected', callback);
And to bind to disconnections:
pusher.connection.bind('disconnected', callback);
You can host JavaScript files yourself, but it's a bit more complicated than putting them somewhere and just linking pusher.js
in the source of your website. Because pusher-js loads fallback files dynamically, the dependency loader must be configured correctly or it will be using js.pusher.com
.
First, clone this repository and run npm install && git submodule init && git submodule update
. Then run:
$ CDN_HTTP='http://your.http.url' CDN_HTTPS='https://your.https.url' make web
In the dist/web
folder, you should see the files you need: pusher.js
, pusher.min.js
, json2.js
, json.min.js
, sockjs.js
and sockjs.min.js
. pusher.js
should be built referencing your URLs as the dependency hosts.
First, make sure you expose all files from the dist
directory. They need to be in a directory with named after the version number. For example, if you're hosting version 7.0.0 under http://example.com/pusher-js
(and https for SSL), files should be accessible under following URL's:
http://example.com/pusher-js/7.0.0/pusher.js
http://example.com/pusher-js/7.0.0/json2.js
http://example.com/pusher-js/7.0.0/sockjs.js
Minified files should have .min
in their names, as in the dist/web
directory:
http://example.com/pusher-js/7.0.0/pusher.min.js
http://example.com/pusher-js/7.0.0/json2.min.js
http://example.com/pusher-js/7.0.0/sockjs.min.js
Most browsers have a limit of 6 simultaneous connections to a single domain, but Internet Explorer 6 and 7 have a limit of just 2. This means that you can only use a single Pusher Channels connection in these browsers, because SockJS requires an HTTP connection for incoming data and another one for sending. Opening the second connection will break the first one as the client won't be able to respond to ping messages and get disconnected eventually.
All other browsers work fine with two or three connections.
Install all dependencies via Yarn:
yarn install
Run a development server which serves bundled javascript from http://localhost:5555/pusher.js so that you can edit files in /src freely.
make serve
You can optionally pass a PORT
environment variable to run the server on a different port. You can also pass CDN_HTTP
and CDN_HTTPS
variables if you wish the library to load dependencies from a new host.
This command will serve pusher.js
, sockjs.js
, json2.js
, and their respective minified versions.
New to pusher-js 3.1 is the ability for the library to produce builds for different runtimes: classic web, React Native, NodeJS and Web Workers.
In order for this to happen, we have split the library into two directories: core/
and runtimes/
. In core
we keep anything that is platform-independent. In runtimes
we keep code that depends on certain runtimes.
Throughout the core/
directory you'll find this line:
import Runtime from "runtime";
We use webpack module resolution to make the library look for different versions of this module depending on the build.
For web it will look for src/runtimes/web/runtime.ts
. For ReactNative, src/runtimes/react-native/runtime.ts
. For Node: src/runtimes/node/runtime.ts
. For worker: src/runtimes/worker/runtime.ts
.
Each of these runtime files exports an object (conforming to the interface you can see in src/runtimes/interface.ts
) that abstracts away everything platform-specific. The core library pulls this object in without any knowledge of how it implements it. This means web build can use the DOM underneath, the ReactNative build can use its native NetInfo API, Workers can use fetch
and so on.
In order to build SockJS, you must first initialize and update the Git submodule:
git submodule init
git submodule update
Then run:
make web
This will build the source files relevant for the web build into dist/web
.
In order to specify the library version, you can either update package.json
or pass a VERSION
environment variable upon building.
Other build commands include:
make react-native # for the React Native build
make node # for the NodeJS build
make worker # for the worker build
Each test environment contains two types of tests:
Unit tests are simple, fast and don't need any external dependencies. Integration tests usually connect to production and js-integration-api servers and can use a local server for loading JS files, so they need an Internet connection to work.
There are 3 different testing environments: one for web, one for NodeJS and one for workers. We may consider adding another one for React Native in the future.
The web and worker tests use Karma to execute specs in real browsers. The NodeJS tests use jasmine-node.
To run the tests:
# For web
make web_unit
make web_integration
# For NodeJS
make node_unit
make node_integration
# For workers
make worker_unit
make worker_integration
If you want your Karma tests to automatically reload, then in spec/karma/config.common.js
set singleRun
to false
.
FAQs
Pusher Channels JavaScript library for browsers, React Native, NodeJS and web workers
We found that pusher-js demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.