[aerogear-dev] [simplepush] Batch notifications
Sebastien Blanc
scm.blanc at gmail.com
Tue Sep 17 02:39:01 EDT 2013
On Tue, Sep 17, 2013 at 7:48 AM, Daniel Bevenius
<daniel.bevenius at gmail.com>wrote:
> We have been discussing the possibility of adding batch notifications
> support to our SimplePush and UnifiedPush Server. The use case for this
> would be when doing a selective send using a category, or a broadcast, and
> instead of sending a number of individual HTTP PUT notifications, a single
> HTTP PUT notification could be sent.
>
That's a good idea. When I first start playing with SPS I thought sending
PUTs was working this way so for me it's a quite natural "enhancement"
>
> When sending a notification an endpoint that looks something like this is
> used:
>
> https://localhost:7777/update/7linbl5LD9XwCMDfwMeM4vLV8yIwY8Kem32lG2igDngQBqkVPG9u179gpu_y7sxWXvPXpN3-CmLwRpXbJtWAig
>
> The suggestion for sending batch notifications might work by sending a
> HTTP PUT but only using:
> https://localhost:7777/update
> In this case the body of the PUT request must be a valid json in the
> following format:
> {
> "version":"1",
>
> "pushEndpoints":["R32EU3Ct3PuHpEJZbeFQH0JWt_ERUtC4fxox44isNINyWDwatnJ1l1thxQyI1M4-IGvwX3AexkaDiMKpeh3P327MeOm809f9LcCdLw562nOcxxMLmMrhNI4ey4TlQ1mi",
>
> "J_hIZkdLfKZpiwgpQ68QsPPlljnDGBbmPwAwGoe_6mE7ZBaKmebqf1mCDy_c9zII8CyaFC5t9BsGeUSU0nylToQgBKYdV4DFj3zdcpCMnxIHsSpX8Zx9DAjWCv7nfAJz"]
> }
> The version is pretty much the same as when sending a normal notification
> except that it is in json format instead of simply 'version=1'.
> The pushEndpoints is an array of channel endpoints. The format of these
> could be different for different SimplePush Server implementations so they
> are simple strings and the server implementation will know how to interpret
> them.
>
> Since batch notifications are outside of the SimplePush specification this
> would only work with our implementation and that will complicate things for
> the clients, like the UnifiedPush Server for example. It would have to
> distinguish between our SImplePush implementation and others.
>
Is that something in which we could contribute back to Mozilla or at least
discuss with us if this could be added to the specs ?
>
> Another issue that came up while discussing this is the question if this
> opens up for denial of service attacks where an attacker could send one
> batch notification with a long list of pushEndpoints to try to keep the
> server busy. At the moment, for an attacker to do the same thing he/she
> would have to send individual request which would be easier to notice and
> defend against as there would be a high volume of HTTP traffic.
>
Should be nice if we had a security expert in the team ... oh wait ... ;)
>
> Thoughts?
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130917/3eab4465/attachment.html
More information about the aerogear-dev
mailing list