I'm working on a server side solution for a mobile application written in Ruby. Part of our requirements is to notify our distributed clients to phone home to receive updated payload which Google's C2DM service seems ideal for.
I've already prototyped and tested everything we need and verified that the solution will work from my local machine. (Using the C2DM library for Ruby, the link is to my own fork in progress to solve an SSL certificate problem where the cert doesn't cover Google's api subdomain.) Except for one major hiccup in Google's ClientLogin API:
When deploying to our development application servers I was unable to transmit messages. Digging deeper into the results I found out that we were receiving a reply from Google that said CAPTCHAREQUIRED and a captcha token plus a URL to a captcha image despite the fact I was using a valid auth_token I created locally during development. So I used my own browser to request the CAPTCHA and solve it, then used curl to post the reply from our development server to ClientLogin after which I was able to get the auth_token necessary to transmit messages.
This had me worried that when deploying to a production environment a similar authentication challenge will occur. So a teammate and I performed some more research and found out that while no one knows the exact specifications as to when an auth_token may expire there is at least one purported Google engineer who claimed they are valid for "at least two weeks." Then a suggested solution is that when the ClientLogin response indicates CAPTCHAREQUIRED that you page/email an ops/devops person to solve the CAPTCHA and use a page/tool in your server application to submit the answer to get a new auth_token. (If this is what I have to do, I guess Amazon's Mechanical Turk saves the day?)
There is, of course, the real possibility that this information is outdated but that doesn't change the fact that I still need to solve CAPTCHAs at least during initial installation. We control the production environment so this isn't a very big deal, just a minor inconvenience since we don't know what, exactly, causes a CAPTCHAREQUIRED challenge response. (We theorize that its a previously unknown IP address for the account.)
I can't help but thinking I'm doing something terribly, terribly wrong here.
The question of auth token lifetime is still very much in the air. C2DM is officially still a beta, so the Google people don't want to commit to a solid figure. Understandable, but frustrating.
That said, in my experience, if you use a dedicated Google account for C2DM purposes, the CAPTCHA challenge never comes up.