If the user comes from different devices or browsers, our system does not know that it is the same user. But there is a special mechanism by which the system can connect all sessions from different devices to one user and collect information about it in one card.
The merging takes place based on the User ID parameter, which must be sent when registering / authorizing the user. To write a User ID, you need to call the script on the browser side:
First argument is User ID.
The second argument is a hash calculated by the HMAC SHA 256. The hash text is the User ID, the key is User Auth Key, you can find it in the admin panel (Settings - Developers).
User ID does not have to be a number, strings of up to 255 characters are allowed. It is recommended that you use a numeric identifier. That is, you can use not only the user id from your system as User ID, but also an email or phone. The main thing is that two rules are fulfilled:
Important! If you get errors 403 to the browser console when sending dashly.auth, check the validity of the hash generation in this online generator.
<?php $userId = '...'; $hash = hash_hmac('sha256', $userId, 'userauth-secret-key'); echo "dashly.auth('$userId', '$hash');" ?>
Thus, your user does not see the secret key, and he will be assigned User ID = 2. This method can be called only once after authorization (actual for Single Page App), or it can be called multiple times (if you insert the code through Backend into each page, when the user is authorized, ie, for example via PHP) - this is OK, too.
Since we collect emails from any field, an attacker can input other user’s email. This way, he will easily pretend being any other person, will be able to read other person’s messages and perform actions on other person’s behalf.
Example. If you’re writing a backend in PHP (for example), and you would just write
dashly.auth(<?php echo $userID ?>); then in the browser it would look something like
The intruder seeing that you are sending UserId = 1234, can open the console and start sorting out options (he can type
dashly.auth(1235) for example, so he will pretend being a user with Userid = 1235).
Thus, he easily impersonates any other person, can read his messages and make events on his behalf.
If a hash is added, the secret key with which the hash is calculated, is known only to your backend (thus source code is unknown to the attacker) and dashly. When you’re calling the auth method, dashly,
knowing the UserID and knowing the secret key, calculates the hash by itself. Then it checks if this calculated hash matches what was sent.
If it does not match, then the request is rejected and the union does not occur.
At the moment REST API can not be used to merge users. But we’re working on it and such functionality can appear in the future.