0

I'm integrating Roku into our multi platform app with paid subscriptions model so webhooks/push notifications are crucial for business to know when subscription being renewed, cancelled etc. I came across Roku Push Notifications documentation which seems to have big security concerns or I'm missing the point:

  1. Roku sends data down to our push notification url without any validation (e.g. like Stripe signature check does). So how do I know the data came from Roku and I can trust it?
  2. They require to respond with our private API KEY(!) in the header... Does it mean that we can potentially expose it to anyone who found what the url is?
  3. Not really a security concern but more of a business safety issue that they can stop sending push notifications without any notice if the endpoint fails consecutively which could lead to big problems again.

I would appreciate any advice on how to use Roku push notifications securely and if my concerns are valid at all.

dgpro
  • 347
  • 3
  • 10
  • I think your concerns are valid, might be worth bringing up with Roku directly via their developer console. Perhaps you can limit push notifications to specific ip addresses. – Joe T Oct 25 '17 at 01:01
  • This is not really a programming question, so off-topic for Stack Overflow. – Jess Bowers Feb 22 '18 at 14:56
  • Were you able to receive push notification from Roku server on cancellation/new subscription. – Abhishek Jun 21 '18 at 09:47
  • @Abhishek yes it's exactly as described in their [documentation](https://sdkdocs.roku.com/display/sdkdoc/Web+Service+API#WebServiceAPI-Sale(purchase)ResponseExample) – dgpro Jun 22 '18 at 10:48
  • I am not receiving the push notification on my server. I have got the cancellation confirmation for that user account but haven't got the push notification on my server – Abhishek Jun 22 '18 at 10:49
  • any guesses what might be the possibilities. I have configured exactly per their documentation – Abhishek Jun 22 '18 at 10:50
  • @Abhishek have you tried using something like Postman to submit data to your webhook and see if it works. Also make sure you have your "Push Notification URL" set up in Developer Dashboard > My Channels > Web API settings. Hope it helps – dgpro Jul 25 '18 at 08:06
  • Yes, I have already tried it. Not working – Abhishek Jul 25 '18 at 08:07

0 Answers0