Skip to content

Instantly share code, notes, and snippets.

/SecPushEE.md Secret

Created June 17, 2013 12:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save anonymous/b82b7bb1b2d1ab36f92d to your computer and use it in GitHub Desktop.
Save anonymous/b82b7bb1b2d1ab36f92d to your computer and use it in GitHub Desktop.
Download ZIP
Initial Security for AeroGear UnifiedPush
Raw
SecPushEE.md

Hi,

I worked a bit on the initial security, after Bruno release the 1.0.1 versions of AG-Security.

Management of PushApplications and MobileVariants

Adding a (simple) DEVELOPER class (just that, no fancy roles yet).
This is powered by AG-Security and the very wellknown "login"/"logout" will be used (and soon "enroll" for new users).

A DEVELOPER is allowed to create/manage PushApplications and MobileVariants (including the standard CRUD flow).

Here is a little cURL based flow:

Login:

curl -v -b cookies.txt -c cookies.txt
  -H "Accept: application/json" -H "Content-type: application/json"
  -X POST 
  -d '{"loginName": "admin", "password":"123"}'
http://localhost:8080/ag-push/rest/auth/login

Create new PushApp:

curl -v -b cookies.txt -c cookies.txt -v 
  -H "Accept: application/json" -H "Content-type: application/json" 
  -X POST 
  -d '{"name" : "MyApp", "description" :  "awesome app" }'
http://localhost:8080/ag-push/rest/applications

Create Variant (here SimplePush) for it:

curl -v -b cookies.txt -c cookies.txt -v 
  -H "Accept: application/json" -H "Content-type: application/json" 
  -X POST 
  -d '{"pushNetworkURL" : "http://localhost:7777/endpoint/"}'
http://localhost:8080/ag-push/rest/applications/{PUSH_APP_ID}/simplePush

Sending Push Notifications

When a PushApplication is created, it will get a GENERATED PUSH-APP-ID (like before) and it will also have a generated master secret. For sending (NOW) you need HTTP BASIC auth against the SENDER HTTP interface:

curl -u "{PushApplicationID}:{MasterSecret}"
   -v -H "Accept: application/json" -H "Content-type: application/json" 
   -X POST
   -d '{"key":"value", "alert":"HELLO!", "sound":"default", "badge":7,
       "simple-push":"version=123"}'

http://localhost:8080/ag-push/rest/sender/broadcast

The user is a combination of PushApplicationID:MasterSecret, hence no need to include the PushApplicationID on the URL.....

Device Registration

When a MobileVariant is created, it will get a GENERATED VARIANT-ID (like before) and it will have a generated "variant secret" (valid ONLY!!! for that variant). Now a device needs to perform HTTP basic against that server, in order to register itself:

An Android (cURL) example:

curl -u "{MobileVariantID}:{secret}"
   -v -H "Accept: application/json" -H "Content-type: application/json" 
   -X POST
   -d '{
      "deviceToken" : "someTokenString", 
      "deviceType" : "ANDROID", 
      "mobileOperatingSystem" : "android", 
      "osVersion" : "4.0.1"
    }'

http://localhost:8080/ag-push/rest/registry/device

The user is a combination of MobileVariantID:MasterSecret, hence no need to include the MobileVariantID (was a http header in the past)

FYI, the iOS SDK has been updated to reflect that: https://github.com/matzew/aerogear-push-ios-registration/commit/ef8001684c38144b5a8fb05abbb87d0ddf452b07

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment