We have been discussing the possibility of adding batch notifications
support to our SimplePush and UnifiedPush Server. The use case for this
would be when doing a selective send using a category, or a broadcast, and
instead of sending a number of individual HTTP PUT notifications, a single
HTTP PUT notification could be sent.
When sending a notification an endpoint that looks something like this is
used:
https://localhost:7777/update/7linbl5LD9XwCMDfwMeM4vLV8yIwY8Kem32lG2igDng...
The suggestion for sending batch notifications might work by sending a HTTP
PUT but only using:
https://localhost:7777/update
In this case the body of the PUT request must be a valid json in the
following format:
{
"version":"1",
"pushEndpoints":["R32EU3Ct3PuHpEJZbeFQH0JWt_ERUtC4fxox44isNINyWDwatnJ1l1thxQyI1M4-IGvwX3AexkaDiMKpeh3P327MeOm809f9LcCdLw562nOcxxMLmMrhNI4ey4TlQ1mi",
"J_hIZkdLfKZpiwgpQ68QsPPlljnDGBbmPwAwGoe_6mE7ZBaKmebqf1mCDy_c9zII8CyaFC5t9BsGeUSU0nylToQgBKYdV4DFj3zdcpCMnxIHsSpX8Zx9DAjWCv7nfAJz"]
}
The version is pretty much the same as when sending a normal notification
except that it is in json format instead of simply 'version=1'.
The pushEndpoints is an array of channel endpoints. The format of these
could be different for different SimplePush Server implementations so they
are simple strings and the server implementation will know how to interpret
them.
Since batch notifications are outside of the SimplePush specification this
would only work with our implementation and that will complicate things for
the clients, like the UnifiedPush Server for example. It would have to
distinguish between our SImplePush implementation and others.
Another issue that came up while discussing this is the question if this
opens up for denial of service attacks where an attacker could send one
batch notification with a long list of pushEndpoints to try to keep the
server busy. At the moment, for an attacker to do the same thing he/she
would have to send individual request which would be easier to notice and
defend against as there would be a high volume of HTTP traffic.
Thoughts?