Discussion Forum: Suggestions: Message 1035548
 Previous Message   Next Message 
 Author: ignacioxd View Messages Posted By ignacioxd
 Posted: Apr 12, 2017 11:55
 Subject: Re: API Push Notification Signatures
 Viewed: 33 times
 Topic: Suggestions
Cancel Message
Cancel		Reply to Message
Reply
BrickLink
ID Card

ignacioxd (87)

Location:  USA, North Carolina
Member Since Contact Type Status
Feb 2, 2016 Contact Member Seller
Buying Privileges - OKSelling Privileges - OK
Store: BrickAbout.com
In Suggestions, Minifigforlife writes:
  To ensure that the request is coming from Bricklink, just verify that the contents
in POST are the fields that you are expecting from Bricklink. Does it include
a valid Bricklink order number for example.
Then validate each piece of data, to ensure there is no SQL injections, or other
nasties.

Just because the payload is valid does not mean it comes from BrickLink though.
For example, let's say I know that a particular store receives push notifications
and that I know the address where the notifications are posted. If I place an
order in that store I also now also have a valid order number for that store.
I could then POST

{
"event_type":"Order",
"resource_id": KNOWN_ORDER_NUMBER,
"timestamp": SOME_TIMESTAMP
}

which is a valid payload for that store. Even if the order number is not valid,
someone handling this incoming push notification will most likely issue a call
to the BrickLink API to get more information on that supposedly new order only
to find out then that the order is invalid. If the order is valid, it could also
result in duplicate records on the client (if coded poorly).

In any case, this causes unnecessary load to the BrickLink API that could be
avoided if the client could simply verify a signature.

Message is in Reply To:

View Thread Re: API Push Notification Signatures - minithings4life (17127)
To ensure that the request is coming from Bricklink, just verify that the contents in POST are the fields that you are expecting from Bricklink. Does it include a valid Bricklink [...]
(87 months ago, Apr 12, 2017, to Suggestions)

4 Messages in this Thread:

 Msg 1 - ignacioxd (87) 87 months ago Apr 12, 2017 to Suggestions
 Msg 2 - minithings4life (17127) 87 months ago Apr 12, 2017 to Suggestions
 Msg 3 « - ignacioxd (87) 87 months ago Apr 12, 2017 to Suggestions
 Msg 4 - ignacioxd (87) 87 months ago Apr 16, 2017 to Suggestions

 Previous Message   Next Message 

Entire thread on one page
This message and all its replies on one page