Sandstorm mobile notifications hack

[Jason Paryani]

Hey all,

Since we're probably not going to have an official version of push notifications working on mobile for a while, I went ahead and hacked together a solution that works for me. It connects directly to a Sandstorm server using the ddp socket and a resume token you supply. It then listens to the `desktopNotifications` subscription to see notifications as they come in.

It's currently hard coded to use the Pushover service to send out the notifications, but I'd be open to adding other integrations (or even adding email support until such time as Sandstorm adds it).

This is all hacky and subject to breakage, so caveat emptor, blah blah.

Code is up at https://github.com/jparyani/sandstorm-notification-pusher

[Alex Morega]

That's beautifully simple. I'd like to do the same thing but deliver notifications by email.
-- Alex

> --
> You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Jason Paryani]

So after talking with the team this morning, we've decided to prioritize email notifications in Sandstorm proper. If you're fine with waiting a week or two, there should be official support in Sandstorm itself.

> To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-dev+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-dev+unsubscribe@googlegroups.com.

[Alex Morega]

I have one security concern. We're running a private Sandstorm with SAML authentication that hosts sensitive information. What content would be sent via email? Will it be possible to disable the feature from admin?

For my own use, ok, I'll wait for the official support :)

-- Alex

> On 17 Aug 2016, at 21:45, Jason Paryani <jpar...@sandstorm.io> wrote:
>
> So after talking with the team this morning, we've decided to prioritize email notifications in Sandstorm proper. If you're fine with waiting a week or two, there should be official support in Sandstorm itself.
>
> On Wed, Aug 17, 2016 at 8:23 AM, Alex Morega <al...@grep.ro> wrote:
> That's beautifully simple. I'd like to do the same thing but deliver notifications by email.
> -- Alex
>
> > On 16 Aug 2016, at 22:55, Jason Paryani <jpar...@sandstorm.io> wrote:
> >
> > Hey all,
> >
> > Since we're probably not going to have an official version of push notifications working on mobile for a while, I went ahead and hacked together a solution that works for me. It connects directly to a Sandstorm server using the ddp socket and a resume token you supply. It then listens to the `desktopNotifications` subscription to see notifications as they come in.
> >
> > It's currently hard coded to use the Pushover service to send out the notifications, but I'd be open to adding other integrations (or even adding email support until such time as Sandstorm adds it).
> >
> > This is all hacky and subject to breakage, so caveat emptor, blah blah.
> >
> > Code is up at https://github.com/jparyani/sandstorm-notification-pusher
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.

> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.

[Jason Paryani]

There will definitely be options for individual users to disable email notifications. Is that sufficient, or do you also need to have the admin be able to do this? Would the admin disable email notifications globally or on a per-user basis?

On Thu, Aug 18, 2016 at 2:42 AM, Alex Morega <al...@grep.ro> wrote:

I have one security concern. We're running a private Sandstorm with SAML authentication that hosts sensitive information. What content would be sent via email? Will it be possible to disable the feature from admin?

For my own use, ok, I'll wait for the official support :)

-- Alex

> On 17 Aug 2016, at 21:45, Jason Paryani <jpar...@sandstorm.io> wrote:
>
> So after talking with the team this morning, we've decided to prioritize email notifications in Sandstorm proper. If you're fine with waiting a week or two, there should be official support in Sandstorm itself.
>
> On Wed, Aug 17, 2016 at 8:23 AM, Alex Morega <al...@grep.ro> wrote:
> That's beautifully simple. I'd like to do the same thing but deliver notifications by email.
> -- Alex
>
> > On 16 Aug 2016, at 22:55, Jason Paryani <jpar...@sandstorm.io> wrote:
> >
> > Hey all,
> >
> > Since we're probably not going to have an official version of push notifications working on mobile for a while, I went ahead and hacked together a solution that works for me. It connects directly to a Sandstorm server using the ddp socket and a resume token you supply. It then listens to the `desktopNotifications` subscription to see notifications as they come in.
> >
> > It's currently hard coded to use the Pushover service to send out the notifications, but I'd be open to adding other integrations (or even adding email support until such time as Sandstorm adds it).
> >
> > This is all hacky and subject to breakage, so caveat emptor, blah blah.
> >
> > Code is up at https://github.com/jparyani/sandstorm-notification-pusher
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-dev+unsubscribe@googlegroups.com.

> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-dev+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-dev+unsubscribe@googlegroups.com.

[Alex Morega]

For our use case, the admin should have the option, but instead of disabling them altogether, it would be more useful to control the content: the notification should just say "you have 3 events", without details about grains and the actual notification content.

-- Alex

> On 22 Aug 2016, at 23:26, Jason Paryani <jpar...@sandstorm.io> wrote:
>
> There will definitely be options for individual users to disable email notifications. Is that sufficient, or do you also need to have the admin be able to do this? Would the admin disable email notifications globally or on a per-user basis?
>
> On Thu, Aug 18, 2016 at 2:42 AM, Alex Morega <al...@grep.ro> wrote:
> I have one security concern. We're running a private Sandstorm with SAML authentication that hosts sensitive information. What content would be sent via email? Will it be possible to disable the feature from admin?
>
> For my own use, ok, I'll wait for the official support :)
>
> -- Alex
>
> > On 17 Aug 2016, at 21:45, Jason Paryani <jpar...@sandstorm.io> wrote:
> >
> > So after talking with the team this morning, we've decided to prioritize email notifications in Sandstorm proper. If you're fine with waiting a week or two, there should be official support in Sandstorm itself.
> >
> > On Wed, Aug 17, 2016 at 8:23 AM, Alex Morega <al...@grep.ro> wrote:
> > That's beautifully simple. I'd like to do the same thing but deliver notifications by email.
> > -- Alex
> >
> > > On 16 Aug 2016, at 22:55, Jason Paryani <jpar...@sandstorm.io> wrote:
> > >
> > > Hey all,
> > >
> > > Since we're probably not going to have an official version of push notifications working on mobile for a while, I went ahead and hacked together a solution that works for me. It connects directly to a Sandstorm server using the ddp socket and a resume token you supply. It then listens to the `desktopNotifications` subscription to see notifications as they come in.
> > >
> > > It's currently hard coded to use the Pushover service to send out the notifications, but I'd be open to adding other integrations (or even adding email support until such time as Sandstorm adds it).
> > >
> > > This is all hacky and subject to breakage, so caveat emptor, blah blah.
> > >
> > > Code is up at https://github.com/jparyani/sandstorm-notification-pusher
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> > > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.

> > > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.

> > For more options, visit https://groups.google.com/d/optout.
> >
>
> --
> You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.

[Kenton Varda]

Hi Alex,

What is it about e-mail that makes it risky in your eyes?

- Are you worried about MITM attacks at the SMTP level?

- Are you worried that users' phones will get stolen?

- Something else?

Trying to understand in order to decide what makes the most sense here.

-Kenton

On Mon, Aug 22, 2016 at 1:58 PM, Alex Morega <al...@grep.ro> wrote:

For our use case, the admin should have the option, but instead of disabling them altogether, it would be more useful to control the content: the notification should just say "you have 3 events", without details about grains and the actual notification content.

-- Alex

> On 22 Aug 2016, at 23:26, Jason Paryani <jpar...@sandstorm.io> wrote:
>
> There will definitely be options for individual users to disable email notifications. Is that sufficient, or do you also need to have the admin be able to do this? Would the admin disable email notifications globally or on a per-user basis?
>
> On Thu, Aug 18, 2016 at 2:42 AM, Alex Morega <al...@grep.ro> wrote:
> I have one security concern. We're running a private Sandstorm with SAML authentication that hosts sensitive information. What content would be sent via email? Will it be possible to disable the feature from admin?
>
> For my own use, ok, I'll wait for the official support :)
>
> -- Alex
>
> > On 17 Aug 2016, at 21:45, Jason Paryani <jpar...@sandstorm.io> wrote:
> >
> > So after talking with the team this morning, we've decided to prioritize email notifications in Sandstorm proper. If you're fine with waiting a week or two, there should be official support in Sandstorm itself.
> >
> > On Wed, Aug 17, 2016 at 8:23 AM, Alex Morega <al...@grep.ro> wrote:
> > That's beautifully simple. I'd like to do the same thing but deliver notifications by email.
> > -- Alex
> >
> > > On 16 Aug 2016, at 22:55, Jason Paryani <jpar...@sandstorm.io> wrote:
> > >
> > > Hey all,
> > >
> > > Since we're probably not going to have an official version of push notifications working on mobile for a while, I went ahead and hacked together a solution that works for me. It connects directly to a Sandstorm server using the ddp socket and a resume token you supply. It then listens to the `desktopNotifications` subscription to see notifications as they come in.
> > >
> > > It's currently hard coded to use the Pushover service to send out the notifications, but I'd be open to adding other integrations (or even adding email support until such time as Sandstorm adds it).
> > >
> > > This is all hacky and subject to breakage, so caveat emptor, blah blah.
> > >
> > > Code is up at https://github.com/jparyani/sandstorm-notification-pusher
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> > > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-dev+unsubscribe@googlegroups.com.

> > > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-dev+unsubscribe@googlegroups.com.

> > For more options, visit https://groups.google.com/d/optout.
> >
>
> --
> You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-dev+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-dev+unsubscribe@googlegroups.com.

[Alex Morega]

Thanks for taking an interest in this, guys :)

I'm worried about the MITM scenario, including the email provider. We're doing investigative journalism so, admittedly, our threat model is unusual :) Ideally the data should only touch the server and the user's computer.

An alternative solution for us would be to proxy outgoing emails and encrypt them, but that comes with a whole set of problems.

-- Alex

> > > > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.

> > > > For more options, visit https://groups.google.com/d/optout.
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> > > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.

> > > For more options, visit https://groups.google.com/d/optout.
> > >
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.

> > For more options, visit https://groups.google.com/d/optout.
> >
>
> --
> You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.

[Kenton Varda]

Hi Alex,

It seems to me that if you are concerned about e-mail MITM, then probably you don't want to deliver *any* email that Sandstorm sends today. Maybe you should un-configure SMTP altogether?

Alternatively, maybe you want to configure Sandstorm to talk to a localhost SMTP server that does one or more of:

a) Heavily filters messages.

b) Only delivers to a local IMAP server. You could then require your users to connect their mail clients directly to that server, so that there is no middleman e-mail provider.

c) PGP-encrypts messages.

Thoughts?

-Kenton

> > > > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-dev+unsubscribe@googlegroups.com.

> > > > For more options, visit https://groups.google.com/d/optout.
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> > > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-dev+unsubscribe@googlegroups.com.

> > > For more options, visit https://groups.google.com/d/optout.
> > >
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-dev+unsubscribe@googlegroups.com.

> > For more options, visit https://groups.google.com/d/optout.
> >
>
> --
> You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-dev+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-dev+unsubscribe@googlegroups.com.

[Alex Morega]

Hi Kenton,

Yep, we don't use sandstorm email much (we share grains by sending links manually), and maybe we should just disable it. We'd miss out on notifications but that's not a deal breaker :)

-- Alex

> > > > > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.

> > > > > For more options, visit https://groups.google.com/d/optout.
> > > >
> > > > --
> > > > You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> > > > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.

> > > > For more options, visit https://groups.google.com/d/optout.
> > > >
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> > > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.

> > > For more options, visit https://groups.google.com/d/optout.
> > >
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> > To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.

> > For more options, visit https://groups.google.com/d/optout.
> >
>
> --
> You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.

[Stephan Heffner]

Hi Kenton,

On Tuesday, August 23, 2016 at 12:57:35 AM UTC+2, Kenton Varda wrote:

Hi Alex,

It seems to me that if you are concerned about e-mail MITM, then probably you don't want to deliver *any* email that Sandstorm sends today. Maybe you should un-configure SMTP altogether?

I tried to do that by just removing the configured server, user etc. There seems to be no option to deactivate it using the admin panel. Unfortunately, server, port and mail sender seems to be required fields. Configuring localhost wouldn't be the best solution as we would get a local mail delivered to *no one*.

Is there a configuration option to disable email at all?

Thanks

Stephan

[Kenton Varda]

Hi Stephan,

Hmm, that sounds like a bug!

https://github.com/sandstorm-io/sandstorm/issues/2446

We'll try to have it fix in this weekend's release.

-Kenton

--