We have been discussing the possibility of adding batch notifications support to our SimplePush and UnifiedPush Server. The use case for this would be when doing a selective send using a category, or a broadcast, and instead of sending a number of individual HTTP PUT notifications, a single HTTP PUT notification could be sent.
When sending a notification an endpoint that looks something like this is used:
The suggestion for sending batch notifications might work by sending a HTTP PUT but only using:
In this case the body of the PUT request must be a valid json in the following format:
{
"version":"1",
"pushEndpoints":["R32EU3Ct3PuHpEJZbeFQH0JWt_ERUtC4fxox44isNINyWDwatnJ1l1thxQyI1M4-IGvwX3AexkaDiMKpeh3P327MeOm809f9LcCdLw562nOcxxMLmMrhNI4ey4TlQ1mi",
"J_hIZkdLfKZpiwgpQ68QsPPlljnDGBbmPwAwGoe_6mE7ZBaKmebqf1mCDy_c9zII8CyaFC5t9BsGeUSU0nylToQgBKYdV4DFj3zdcpCMnxIHsSpX8Zx9DAjWCv7nfAJz"]
}
The version is pretty much the same as when sending a normal notification except that it is in json format instead of simply 'version=1'.
The pushEndpoints is an array of channel endpoints. The format of these could be different for different SimplePush Server implementations so they are simple strings and the server implementation will know how to interpret them.
Since batch notifications are outside of the SimplePush specification this would only work with our implementation and that will complicate things for the clients, like the UnifiedPush Server for example. It would have to distinguish between our SImplePush implementation and others.
Another issue that came up while discussing this is the question if this opens up for denial of service attacks where an attacker could send one batch notification with a long list of pushEndpoints to try to keep the server busy. At the moment, for an attacker to do the same thing he/she would have to send individual request which would be easier to notice and defend against as there would be a high volume of HTTP traffic.
Thoughts?