DocumentationDocumentation
DocumentationFrameworkCommunityAPI Reference
Sign InSign Up

GitHubnovuhq/novu

36341

Production Setup for React

Learn how to prepare your React notification inbox for production deployment including HMAC encryption and security best practices.

HMAC Encryption

When Novu's user adds the Inbox to their application they are required to pass a subscriberId which identifies the user's end-customer, and the application Identifier which is acted as a public key to communicate with the notification feed API.

A malicious actor can access the user feed by accessing the API and passing another subscriberId using the public application identifier.

HMAC encryption will make sure that a subscriberId is encrypted using the secret API key, and those will prevent malicious actors from impersonating users.

Enabling HMAC Encryption

In order to enable Hash-Based Message Authentication Codes, you need to visit the admin panel In-App settings page and enable HMAC encryption for your environment.

  1. Next step would be to generate an HMAC encrypted subscriberId on your backend:
import { createHmac } from 'crypto';
 
const hmacHash = createHmac('sha256', process.env.NOVU_SECRET_KEY)
  .update(subscriberId)
  .digest('hex');
  1. Then pass the created HMAC to your client side application forward it to the component:
import { Inbox } from '@novu/react';
 
<Inbox
  applicationIdentifier="YOUR_APPLICATION_IDENTIFIER"
  subscriberId="YOUR_SUBSCRIBER_ID"
  subscriberHash="YOUR_SUBSCRIBER_ID_HASH_VALUE"
/>;

If HMAC encryption is active in In-App provider settings and subscriberHash along with subscriberId is not provided, then Inbox will not load

Edit on GitHub

Previous

Localization

Next

Hooks

On this page