Guidelines for Adding Subjects to a Stream

[TakahikoKawasaki]

According to the SSF specification, a receiver can add any subject to a stream. This means that the receiver can obtain events for any end-user, as long as the events are listed in events_delivered. Doesn’t this raise security and privacy concerns?

If there were a rule such as “only events related to the subject associated with the access token used when creating the stream will flow into that stream,” then things would be more straightforward, and there would be no risk of infringing on the security or privacy of other users. However, the SSF specification deliberately defines an Add Subject endpoint, allowing receivers to add arbitrary subjects to a stream.

It seems that, unless significant restrictions are imposed on the operation of transmitters and receivers, security and privacy issues will arise. Are there any operational or implementation guidelines to address this?

[FragLegs]

The add_subjects endpoint allows the Receiver to express the subjects that it is interested in receiving. It is up to the Transmitter whether or not to actually send an event with that subject. The authentication between the Transmitter and Receiver that is sent during stream configuration API calls should be enough to indicate to the Transmitter who the Receiver is, which should give the Transmitter enough info to determine what subjects and event types should be allowed to flow over that stream.

Some things to note in the spec:

• A Transmitter can choose to default to sending all subjects. "ALL" indicates that any subjects that *are appropriate* for the stream are added to the stream by default. (emphasis added by me)
• In Subject Probing, it states that Event Transmitters MAY return a "204" response even if they will not actually send any events related to the subject, and Event Receivers MUST NOT assume that a 204 response means that they will receive events related to the subject.
• In Subject Matching the spec says If a Receiver adds a subject to a stream defined in Section 8.1.3.2, the Transmitter SHOULD send any events relating to the subject which have event_types that the Receiver has subscribed to... Note the keyword SHOULD, not MUST.