Now I am define a endpoint to receive apple server notification in spring boot project:
@Api
@RequestMapping("/post/notification")
@FeignClient(name = "dolphin-post-service")
@Validated
public interface IAppleServerNotificationController {
/**
* Receive Apple Server Notification
* @param
* @return
*/
@PostMapping("/v1/appleSeverNotification")
Response<Integer> handleNotification(@RequestBody ServerNotificationRequest request);
}
the request:
@Data
@NoArgsConstructor
@JsonIgnoreProperties(ignoreUnknown = true)
public class ServerNotificationRequest implements Serializable {
@ApiModelProperty(value = "responseBody")
private String responseBody;
}
but the api on my server side have auth to invoke, now I am facing the problem: if I have auth with my api, the apple server could not invoke because the apple server did not implemeent the auth 2.0 to get accessToken from my server. If I remove auth with the endpoint, that means anyone could invoke the endpoint if he known the address.
so what should I do to make the endpoint secure and allow apple to invoke? should I keep the endpoint not public? but some tools would sniff the url I think. what should I do?
Now I am verify the shared scret in the server side like this:
@Override
@NoCheck
public Response handleNotification(ServerNotificationRequest request) {
if (!SHARED_SECRET.equals(request.getSharedSecret())) {
log.error("illegal invoke:" + JSON.toJSONString(request));
return new Response();
}
saveNotification(request);
return new Response<>();
}