We have an API :) - Page 7

BTW, what does http://www.daniweb.com/api/members return? It returns some users but is there some kind of condition?

The latest members to log into the site. You can use ?page= to fetch all of the members who have logged in within the past 90 days.

^

The results are sorted by last_visit_timestamp, and you can quickly fetch "Users Currently Online" by picking out members who accessed a page within the past X minutes.

There's really just two things to port: Using OAuth to gain an access token

I think one; OAuth....

Ill try my best to make a proof of conecept of OAuth authentication in C#

@Riahc3, I'd find that of use, I've looked into it briefly but didn't figure it out in the short time I had to look at it.

Question:

Is there a way I can calculate the member ID and the secret key using just the username and password? Or is this not implemented for security reasons (eg, a for/while loop that tries every combination possible to crack a password)

Is there a way I can calculate the member ID and the secret key using just the username and password?

Your member ID # is the ID # that was assigned to you when you registered. It's an auto-increment key in the database. There's no way for you to calculate your secret key. It's not based on your username/password.

Of course, you can fetch someone's Member ID # if you have their username by doing:

www.daniweb.com/api/members?username=Dani

There's no way for you to calculate your secret key.

There is but for obvious reasons you wont tell me :P Dont worry, like I mentioned for security reasons I imagine that it would not be able to be done.

@Riahc3, I'd find that of use, I've looked into it briefly but didn't figure it out in the short time I had to look at it.

Im not sure if it can be done; Ill try to take a look at it as well.

OK, there would be a small way to be able to get the secret key (I would only know how to do this in C#)

I would load http://www.daniweb.com (possible a hidden web browser control)
I would search for Member Login. It means that the user is not logged in. If not, I would hit Log Out then search again for Member Login
In the textboxs I would insert the username and password.
I would somehow be able to get the cookie (most problematic step)
If I get redirected to http://www.daniweb.com/members/lost_password and I find Join Daniweb it means Im not logged in and the login is incorrect.
If I dont, I would then go to http://www.daniweb.com/api/documentation and the secret key should be there as well.

Yes it is nasty but hey; You know my programming ;)

I dont like it too much so if anyone has better ideas, please tell me....

Yeah that is a pretty horrendous way to do it :p I will look into it further when I get my API extension to that stage if you don't find a better method before then.

sorry, but I am not fully understanding - what is the benefit of this? to make our own client to read forum? Maybe good - to avoid that purple color :D but is that it? what are more serious benefits of this?

The benefit is to allow people to do whatever they like with the information available. Personally I like the purple.

A desktop client is definately an option and I was going to look at one once I have done an API extension for C#.

What is the format of the timestamps?

For example the example data provides "last_visit_timestamp":"1361354427", But im not entirely sure what this equates too? A DateTime? Something else?

That's the Unix time format, which is the number of seconds since 1970-01-01 00:00:00: http://en.wikipedia.org/wiki/Unix_time

sorry, but I am not fully understanding - what is the benefit of this? to make our own client to read forum? Maybe good - to avoid that purple color :D but is that it? what are more serious benefits of this?

You're limited by your own imagination. APIs allow you to extract any data (cached or otherwise) and use it in any way you want. You can create your own mashups, games, custom thread roller, etc etc.

Cheers cereal!

I'm incredibly confused why you need to generate/extract/etc the Secret Key ?!?! Your own secret key should be hard coded into any app that you write.

I'm incredibly confused why you need to generate/extract/etc the Secret Key ?!?! Your own secret key should be hard coded into any app that you write.

(Personally for me) The app I am writing is not for me only; I will share it with the community and I DOUBT they will want to see my posts and information. They will want to see their own.

That's the purpose of OAuth :)

The purpose of OAuth is so that you can access the account of any member (aka be that member) without the need for them to give you their username or password.

The security key is not what's needed to impersonate their account. It's meant to be hard coded into the application that you write as a security measure to authenticate yourself as the application's programmer.

Try copying and pasting the OAuth 2.0 demo that I have. When you visit the page, it should say "Hi, riahc3! and a PHP variable will be set with all of your information". When I visit the page it will say Hi Dani and the variable will be set with all of my information.

Basically OAuth handles that entire process described above: It makes you log in, forces you to log in if you aren't already, checks your cookies, and then it gives the application access to variables about your account.

When you pass the client_id and client_secret into your OAuth application, that is NOT meant to be passing in the credentials of the end-user using the application. That is simply the credentials of the application's developer, meant to be hard-coded into the application.

Your application will automagically have all the credentials of the end user who is using the application at the time, including their personal profile settings, their private messages, their own recommended / watched / viewed articles, etc.

OK I added a bunch of bullet points to the documentation page to hopefully make OAuth a bit clearer. Let me know if it makes sense to you now.

It has made it clearer to me, also the live demo helps to explain it.

The live demo was there all along :)

Note there are two live demos: one that is server-side and one that is client-side, and they each work differently. You need to choose the one that best suits your needs. I'll add an additional bullet point about that.

Yeah I didn't get that far down the API documentation yet as still working with GET requests :) Ah, not sure which I looked at! Shall have another browse in a bit.

Most of the Authorization requests are also GET, but they're used to fetch things specific to the end user currently using your app such as advanced info about their account (their profile settings, email address, etc), their private messages, recently views articles, articles they're watching, etc.

So, can you use javascript to OAuth? But that means no client key right? How do you then prevent a malicious user from just using your member id to register their nasty little app and getting you banned?

Again, I'm probably missing something here.

How do you then prevent a malicious user from just using your member id to register their nasty little app and getting you banned?

That part hasn't been coded yet :) The way that OAuth's protocol is supposed to work is the developer is supposed to register their application's domain name with us, and we're supposed to verify that the request came from the domain name registered.

And yes, you can use javascript to OAuth. That means YES client_id but no client secret (which means anyone can pass in your client_id and say that they wrote the app). I need to fix that. I'll get to it later today.

The reason that the client_secret can't be used with javascript is because it's client-side and therefore anyone could just view the source code to see it. That wouldn't make it very much of a secret.

The reason why the whole registering apps and validating domains thing was never implemented was because I was initially not planning on releasing a clientside OAuth version, and therefore I figured that, as long as I made sure app developers were DaniWeb members, I could bypass the whole registration ordeal.

Guess not :( I'll code it up now.

Thought I'd mention that the javascript new window will probably get blocked by browsers - it did for me. I'd love to use just js, but it seems that for now the OAuth will need to stay server-side.