Re: [aerogear-dev] [simplepush] Batch notifications
On Tue, Sep 17, 2013 at 7:48 AM, Daniel Bevenius
<daniel.bevenius(a)gmail.com>wrote:
We have been discussing the possibility of adding batch
notifications
support to our SimplePush and UnifiedPush Server. The use case for this
would be when doing a selective send using a category, or a broadcast, and
instead of sending a number of individual HTTP PUT notifications, a single
HTTP PUT notification could be sent.
That's a good idea. When I first start playing with SPS I thought sending
PUTs was working this way so for me it's a quite natural "enhancement"
When sending a notification an endpoint that looks something like this is
used:
https://localhost:7777/update/7linbl5LD9XwCMDfwMeM4vLV8yIwY8Kem32lG2igDng...
The suggestion for sending batch notifications might work by sending a
HTTP PUT but only using:
https://localhost:7777/update
In this case the body of the PUT request must be a valid json in the
following format:
{
"version":"1",
"pushEndpoints":["R32EU3Ct3PuHpEJZbeFQH0JWt_ERUtC4fxox44isNINyWDwatnJ1l1thxQyI1M4-IGvwX3AexkaDiMKpeh3P327MeOm809f9LcCdLw562nOcxxMLmMrhNI4ey4TlQ1mi",
"J_hIZkdLfKZpiwgpQ68QsPPlljnDGBbmPwAwGoe_6mE7ZBaKmebqf1mCDy_c9zII8CyaFC5t9BsGeUSU0nylToQgBKYdV4DFj3zdcpCMnxIHsSpX8Zx9DAjWCv7nfAJz"]
}
The version is pretty much the same as when sending a normal notification
except that it is in json format instead of simply 'version=1'.
The pushEndpoints is an array of channel endpoints. The format of these
could be different for different SimplePush Server implementations so they
are simple strings and the server implementation will know how to interpret
them.
Since batch notifications are outside of the SimplePush specification this
would only work with our implementation and that will complicate things for
the clients, like the UnifiedPush Server for example. It would have to
distinguish between our SImplePush implementation and others.
Is that something in which we could contribute back to Mozilla or at least
discuss with us if this could be added to the specs ?
Another issue that came up while discussing this is the question if this
opens up for denial of service attacks where an attacker could send one
batch notification with a long list of pushEndpoints to try to keep the
server busy. At the moment, for an attacker to do the same thing he/she
would have to send individual request which would be easier to notice and
defend against as there would be a high volume of HTTP traffic.
Should be nice if we had a security expert in the team ... oh wait ... ;)
Thoughts?
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Attachments:
- attachment.html (text/html — 4.2 KB)