Author: | ignacioxd | Posted: | Apr 12, 2017 00:15 | Subject: | API Push Notification Signatures | Viewed: | 124 times | Topic: | Suggestions | Status: | Discarded | |
|
| The API currently allows registration of notification URLs that will get POST
data once some events are raised (orders, messages, feedback). This is great!
However, in order to implement this we need a server that accepts POST data publicly.
Right now there is no easy way to verify that this POST request is actually coming
from BrickLink.
While we can check the IP from which the request originated, I think a better
alternative would be for the push notification request to contain a signature
in the body. Perhaps the ConsumerSecret could be used to sign the request via
HMAC and include this signature as part of the request? Including an additional
attribute in the JSON object should not break existing implementations.
|
|
Message Has 2 Replies: Re: API Push Notification Signatures - minithings4life (17101) | To ensure that the request is coming from Bricklink, just verify that the contents in POST are the fields that you are expecting from Bricklink. Does it include a valid Bricklink [...] (86 months ago, Apr 12, 2017, to Suggestions) |
Re: API Push Notification Signatures - ignacioxd (87) | I see that this suggestion is now marked as discarded, yet no comment was provided as to why. It would be nice to hear from BrickLink their reasoning behind their decisions. (86 months ago, Apr 16, 2017, to Suggestions) |
4 Messages in this Thread: Msg 1 « - ignacioxd (87) 86 months ago Apr 12, 2017 to Suggestions Msg 2 - minithings4life (17101) 86 months ago Apr 12, 2017 to Suggestions Msg 3 - ignacioxd (87) 86 months ago Apr 12, 2017 to Suggestions Msg 4 - ignacioxd (87) 86 months ago Apr 16, 2017 to Suggestions
Entire thread on one page This message and all its replies on one page
|
The status of this message was changed from Open to Discarded on Apr 13, 2017 |
|