

Watercoolr, Pubsub using WebHooks - jcapote
http://watercoolr.nuklei.com

======
progrium
Very cool, simple implementation of pubsub with webhooks. The DoS issue is
something to consider, but keep in mind there are plenty of other ways to DoS,
probably more efficient ways. Auth is a big topic in webhooks right now.

The allow file idea is interesting, but we've been talking about it on the
webhooks list (as well as the GetPingd list). The pubsubhubbub guys are also
thinking about it (since they haven't addressed it either yet).

~~~
jcapote
Concerning the DoS issue: the system only allows one subscriber url per
channel, so it really can't be used to DoS. And as for auth, this was designed
for more internal use where it isn't that much of a concern.

------
rcoder
Have you checked out PubSubHubbub project?

<http://code.google.com/p/pubsubhubbub/>

It looks like there's a lot of overlap with the feature set you need, as well
as the advantage of some extra documentation + testing. It's a Python WSGI
app, instead of Sinatra/Rack, and the data over the wire is encoded as Atom,
but there could be some useful lessons to work from at least.

~~~
jcapote
No I haven't, but I am now, thanks. (This is a particularly hard problem
domain to google for)

------
beza1e1
What happens if some the subscriber can't be reached? What if delivering takes
to long? Why should the server do the distribution? A "post message" could
return a list of subscribers, instead. More work for the client, but more
transparency, too.

------
axod
Why is this interesting? I'm obviously missing something...

Any context/description/commentary?

From what I can understand, it could be useful in launching a DoS :/

~~~
jcapote
Well I wrote it because I needed a way for programs to announce what they were
doing and have other subscribing programs react accordingly. The closest
solution I found to this was <http://xmpp.org/extensions/xep-0060.html>, but
that didn't seem implemented yet so I wrote the simplest thing that could
work.

~~~
axod
Cool. Seems like there should be some security to prevent abuse though,
otherwise surely I could just add a ton of subscriptions to pages on a target
site, and start getting your server to DoS them?

Perhaps have it look for an 'allow' file on the destination first, and if it's
not there, don't send any further messages?

~~~
jcapote
That's an interesting way to handle the auth problem, I'll look into it...

------
curio
+1 vote for pubsubhubbub

