On Tue, Jan 19, 2010 at 2:31 PM, James Holderness <[email protected]> wrote: > On Jan 19, 12:27 pm, Enrico <[email protected]> wrote: >> So yeah, If google use a custom callback url they can easily use >> something like this for >> example:http://reader.google.com/pushCallBack/feedid/[feed id >> here]/hash/[hash >> key for feed here] >> Then when getting a POST request they can check the hash actually >> matches what they expect, and hashing can be done with a secret key or >> whatever. >> >> Simple, Right? >> However, that would totally scratch the possibility of using the >> "Aggregated Content Distribution" stated in the protocol > > I always figured this could be solved by using a unique callback URL > per hub rather than per feed. The hub is going to know the callbacks > for all the feeds on its server anyway - you only need to protect the > callbacks associated with other hubs.
Exactly, James! For aggregated delivery to work with secrets: The Hub is required to enforce that every (topic, callback) tuple from the subscriber MUST have the same 'hub.secret' value if the callback URL is the same. Thus, multiple topics can be delivered to a single callback URL in an authenticated way, verifiable by the subscriber in batch (using a single X-Hub-Subscriber header generated from the single shared secret).
