webserver – Is it ok to give the client the power to make any request from within our server?

We have a very heavy endpoint on our server, that takes a few hours to respond. Of course, this would result in a timeout, so we added an “asynchronous” functionality to it.

To summarize, a client will start the request like this:

POST https://our.server/api/long-running-query

    search: '....',
    callback: 'https://client.server/api/callback-for-long-running-query',
    authorization: 'basic aBcDeFgHi12345678'

(the authorization in the body is optional, and has nothing to do with our server. More on that bellow)

And our server will immediately respond with a empty 200 Ok, closing the connection.

After some time, our server will finish the query and will start a new request to the client, based on the URL provided in the “callback”, and with the authorization header (if provided by the client).

POST https://client.server/api/callback-for-long-running-query
Authorization: basic aBcDeFgHi12345678

    result: '....'

Our server will only verify if the response status from the client server is 200, and discard the returned request body.

So, long story short, this will give the power to the client to make any request from within our server.

Also, we can’t validate the domain (forcing it to match the origin), because some clients will make “cross-server” requests, that is, start the batch operation from one server, and receive the response in the other, with another domain.

Any thoughts?