Author:  ignacioxd  Posted:  Apr 12, 2017 00:15  Subject:  API Push Notification Signatures  Viewed:  124 times  Topic:  Suggestions  Status: Discarded Cancel Reply

BrickLink ID Card ignacioxd (87) Location:  USA, North Carolina Member Since Contact Type Status Feb 2, 2016 Seller  Store: BrickAbout.com

The API currently allows registration of notification URLs that will get POST data once some events are raised (orders, messages, feedback). This is great! However, in order to implement this we need a server that accepts POST data publicly. Right now there is no easy way to verify that this POST request is actually coming from BrickLink. While we can check the IP from which the request originated, I think a better alternative would be for the push notification request to contain a signature in the body. Perhaps the ConsumerSecret could be used to sign the request via HMAC and include this signature as part of the request? Including an additional attribute in the JSON object should not break existing implementations.

Message Has 2 Replies:

Re: API Push Notification Signatures - minithings4life (17101)

To ensure that the request is coming from Bricklink, just verify that the contents in POST are the fields that you are expecting from Bricklink. Does it include a valid Bricklink [...] (86 months ago, Apr 12, 2017, to Suggestions)

Re: API Push Notification Signatures - ignacioxd (87)

I see that this suggestion is now marked as discarded, yet no comment was provided as to why. It would be nice to hear from BrickLink their reasoning behind their decisions. (86 months ago, Apr 16, 2017, to Suggestions)

4 Messages in this Thread:

 Msg 1 « - ignacioxd (87) 86 months ago Apr 12, 2017 to Suggestions
 Msg 2 - minithings4life (17101) 86 months ago Apr 12, 2017 to Suggestions
 Msg 3 - ignacioxd (87) 86 months ago Apr 12, 2017 to Suggestions
 Msg 4 - ignacioxd (87) 86 months ago Apr 16, 2017 to Suggestions