Quick question regarding frontend integration. I see that you can embed a widget that requires an API key and the currently authenticated user's email. Does this mean that if I'm a malicious user, and I edited my local Javascript to swap the email with another user's email, I could view the other user's notifications?
unamashana|5 years ago
The other (and better way) is to initialize the embed with an HMAC generated on your backend using the API Secret. You can do this with both email and external_id - https://developer.magicbell.io/docs/turn-on-hmac-authenticat....
thrwaway2020aug|5 years ago
I wanted to pile on a little bit here and say this paragraph isn't really comforting to me:
> While unlikely to happen, it is possible for a savvy user to open their browser's developer console, obtain your MagicBell project's API key from your website's source, initialize the widget on their own website with your API key but with a different user's email (if its feasible for them to guess one) and start viewing notifications of that user.
I suspect this was done for developer experience reasons? You seem to know it's not secure to pass in an email directly, especially if anything sensitive is coming across in notifications.
For me at least, allowing the non-HMAC configuration makes me wonder what other security corners have been cut. I'd rather that option didn't exist and the company took a more security-forward stance.