What is the purpose of double authentication when streaming?

[RickCarlino]

Hi guys,

What is the point of putting a Token / UUID in both the URL and in the header? Wouldn't having a devices token be adequate enough for getting all messages related to a UUID?

(From the docs) /subscribe/{uuid}?token={token}

This is a streaming API that returns device/node messages as they are sent and received. Notice the comma at the end of the response. SkyNet doesn't close the stream. Note: You can subscribe to UUIDs without knowing the token but this will only allow you to receive broadcast messages from the UUID (devices=* or devices=all)

curl -X GET http://skynet.im/subscribe/ad698900-2546-11e3-87fb-c560cb0ca47b?token=123 --header "skynet_auth_uuid: {my uuid}" --header "skynet_auth_token: {my token}"

{"devices":"0d3a53a0-2a0b-11e3-b09c-ff4de847b2cc","message":{"red":"on"},"timestamp":1388768270795,"eventCode":300,"_id":"52c6ec0e4f67671e44000001"},{"devices":"0d3a53a0-2a0b-11e3-b09c-ff4de847b2cc","message":{"red":"on"},"timestamp":1388768277473,"eventCode":300,"_id":"52c6ec154f67671e44000002"},

[octoblu]

We recently added a whitelist / blacklist permissions model to SkyNet (http://skynet.im/#api). Now UUID objects can have an owner property containing a devices parent/owner UUID.

The UUID and token in the header is used for authentication where as the UUID in the URI is related to the resource.

In regards to subscribing, tokens are required if you want to "listen" to all in/outbound messaging on a device. You can subscribe to a device without the token but you only get messages where the device broadcasts ("*") the message.

Our REST subscribe API is designed not to close when called using streaming. It allows you to connect and listen to a device in realtime. If you want it to close, don't pass the streaming flag.