Sending User ID (in protected mode).

dashly.auth('5231', '49672bf861335d68040fedb25c90a580dd33c6748dc82d8fe76d508ebcef2b4b');
Argument Description
userId required, User ID
hash required, hash

In case auth is used, identify should be called after auth.

If your site has registration / authorization, then we strongly recommend that you send us User ID. We use User ID to merge users from different devices.

The second argument is a hash calculated by the HMAC SHA 256. The hash text is the User ID, the key is User Auth Key, you can find it in the admin panel. You can check the validity of the hash generation in this online generator. It is important to understand that security is based on the secrecy of this key (a system with shared secret), so this key can not be used on the browser side (JavaScript) at all, the hash generation should occur only on the server side. If the key is no longer a secret, unscrupulous users will be able to read other people's messages or perform events on behalf of someone else's.


Example of PHP hash generation:

$userId = '...';
$hash = hash_hmac('sha256', $userId, 'userauth-secret-key');
echo "dashly.auth('$userId', '$hash');"

Thus, your user does not see the secret key, and he will be assigned User ID = 2

This method can be called only once after authorization (actual for Single Page App), or it can be called multiple times (if you insert the code through Backend into each page, when the user is authorized, ie, for example via PHP) - this is OK, too.

How to choose a correct User ID?

There are two rules:

  • User ID must be unique for each user.
  • User ID can not be changed during user’s lifetime. For example, email should not be used as User ID, in case a user can change email.

User ID does not have to be a number, strings of up to 255 characters are allowed. It is recommended that you use a numeric identifier.

Why need all those difficulties with HMAC?

Example. If you’re writing a backend in PHP (for example), and you would just write dashly.auth(<?php echo $userID ?>); then in the browser it would look something like dashly.auth(1234); The intruder seeing that you are sending UserId = 1234, can open the console and start sorting out options (he can type dashly.auth(1235) for example, so he will pretend being a user with Userid = 1235). Thus, he easily impersonates any other person, can read his messages and make events on his behalf.

If a hash is added, the secret key with which the hash is calculated, is known only to your backend (thus source code is unknown to the attacker) and dashly. When you’re calling the auth method, dashly, knowing the UserID and knowing the secret key, calculates the hash by itself. Then it checks if this calculated hash matches what was sent. If it does not match, then the request is rejected and the union does not occur.