pusher send_event going through without auth in laravel reverb project

I'm working on this project that, in short, has a real-time chat system implemented with laravel reverb. Everything with dispatching events on the laravel server is working fine and the events are received correctly on the client with echo.

The problem is when I try to handle sending messages in the front-end through the websocket connection. I'm following what joe dixon did in the laracon eu conference link. I'm using this script on the front-end.

Echo.connector.pusher.send_event(
'SendMessage',
JSON.stringify({ testKey: 'test value' }),
'Users.2.ChatList'
);


now even if this Users.{id}.ChatList is a private channel defined in channels.php and the user is not authenticated or connected to any channel, the event is still received on the backend as an event on that channel. There is no authorization happening!! This is how I'm receiving these frontend events on the backend in AppServiceProvider:

Event::listen(
MessageReceived::class,
TestListener::class
);


Any ideas how this should be handled? I want only users who are authenticated and connected to that for example "Users.2.ChatList" channel to be able to send such a message.

Continue reading...