It's not really a syncing protocol - a syncing protocol is something more like FeedSync (formally SSE)[1].
This looks more like an API for a feed reader type application. From a quick read it looks mostly ok for that (although I'd question why...)
Out of interest, why not implement a read-only version of rfc5023/AtomPub[2]?
Anyway...
I'd suggest you get rid of the "Article" Object, and use the Atom "Entry" object instead (or possibly a single-entry Atom feed if you are in XML mode), serialized as JSON
The "Fetch" call should probably take a "since date" as an option, instead of just "since id". It should return a JSON serialized Atom feed, not a custom object.
Changing "Article" to "Entry"—noted. As for doing away with the custom schema and using the Atom serialization you posted: it's worth noting the protocol is meant to sync with Atom _and_ RSS transparently; to keep things simple and consistent, a middle ground has to be found.
True. But there are certain elements that vary greatly between specs (or rather, between spec and... suggested format?). For example, the `person` construct, the `text` construct, etc, which are rather inconsistent and flat in the RSS spec. If it were all fire–and–forget, I could rest at ease knowing it's a superset, but most differences are not additive.
TLS/SSL will be a requirement soon, with some form of "bearer token" auth scheme. At least for the reference implementation.
The MD5 hash is there to mitigate two issues, currently: some (or most) common users won't pay for a certificate, so instead of sending the password in cleartext, it's hashed as an MD5 to avoid exposure—all of this, of course, is no guarantee against MITM. Which leads us to the second issue: most [non–techie] users re–use their password for a _lot_ of things. At least, if the password is intercepted, it won't be reusable.
It's also worth noting that bcrypt is used server–side to store passwords.
Auth (and very possibly a crypto scheme too) is yet to be tackled. Haven't even decided if it should be part of the spec, or left up to each implementer.
Auth is a WIP. Anybody who has suggestions and candidates for auth schemes, is welcome to send them to the mailing list, so we can improve the protocol :) pond@librelist.com
+1 to this. If you're going to send a replayable MD5 hash over the wire, you might as well just drop the pretense and just call it "password" instead - intercepting the "hash" compromises the account just as surely as if you'd leaked the password.
This is especially nasty since the document mentions that not all users will use SSL. If supporting access via a non-secure channel is an absolute requirement, you may want to figure out something more effective...
14 comments
[ 3.4 ms ] story [ 40.6 ms ] threadhttps://pond.imperialviolet.org/
https://github.com/agl/pond
It's pretty much impossible to avoid naming collisions for projects. :-/
I have been working on the project for 6 months now, and I even tweeted the author of that project when he posted it, but he just ignored me haha :(
Hopefully, in a couple years, we'll know Langley's Pond by a different name: "email".
This looks more like an API for a feed reader type application. From a quick read it looks mostly ok for that (although I'd question why...)
Out of interest, why not implement a read-only version of rfc5023/AtomPub[2]?
Anyway...
I'd suggest you get rid of the "Article" Object, and use the Atom "Entry" object instead (or possibly a single-entry Atom feed if you are in XML mode), serialized as JSON
The "Fetch" call should probably take a "since date" as an option, instead of just "since id". It should return a JSON serialized Atom feed, not a custom object.
https://cwiki.apache.org/confluence/display/ABDERA/JSON+Seri... is a pretty decent JSON serialization spec for Atom
Notable omissions: no concept of tagging or saving articles.
[1] https://en.wikipedia.org/wiki/FeedSync
[2] http://bitworking.org/projects/atom/rfc5023.html
Changing "Article" to "Entry"—noted. As for doing away with the custom schema and using the Atom serialization you posted: it's worth noting the protocol is meant to sync with Atom _and_ RSS transparently; to keep things simple and consistent, a middle ground has to be found.
`since_date` is something I'm working on.
The MD5 hash is there to mitigate two issues, currently: some (or most) common users won't pay for a certificate, so instead of sending the password in cleartext, it's hashed as an MD5 to avoid exposure—all of this, of course, is no guarantee against MITM. Which leads us to the second issue: most [non–techie] users re–use their password for a _lot_ of things. At least, if the password is intercepted, it won't be reusable.
It's also worth noting that bcrypt is used server–side to store passwords.
Auth (and very possibly a crypto scheme too) is yet to be tackled. Haven't even decided if it should be part of the spec, or left up to each implementer.
This is especially nasty since the document mentions that not all users will use SSL. If supporting access via a non-secure channel is an absolute requirement, you may want to figure out something more effective...