Loomio

Libertree API

M
matl Public Seen by 65

Hey,

Faldrian started a new discussion about a Diaspora API on Geraspora. Unfortunately the post itself and all comments are in german: https://pod.geraspora.de/posts/1036597#

All in all different people talked about "how we could create a new Diaspora API". Some examples are: OAuth and OAuth2.

I thought about it and found the API of Libertree: https://github.com/Libertree/libertree-frontend-ramaze/wiki/Member-API

Maybe it is possible to customise it in that way, that it will work with Diaspora?
What do you think about it - is this possible or not?

MK

Moritz Kiefer Sun 3 Feb 2013

I think the only thing which really needs to be added to Diaspora to improve API support is a proper authentication. Currently there's the login, then you need to save session cookies and you have to generate a new csrf-token for each request.
Libertree uses a token for API access, however the API itself is extremely limited. I can't really say anything about the advantages and disadvantages of tokens. However I would prefer using a standardized authentication model like OAuth2.
That said I know only very little about Ruby/Rails and can't say how difficult it would be to implement this or even do it myself.
The authentication was just the only thing that annoyed me building my diaspora python api.
Adding the possibility to retreive some more things via json should be a minor problem.

JH

Jonne Haß Sun 3 Feb 2013

What would one want with two endpoints?

We tried oAuth, we tried to do it decentralized. It didn't work, that's why it got removed.

RF

Rasmus Fuhse Sun 3 Feb 2013

Hmm, I am not sure, if it could be a safety-issue to send the token via GET-parameter. But those are just two routes in the libertree-API. It's nothing really special.

As Moritz said the main point is the authentication via OAuth. Can you link to the issue, Jonne. I couldn't find it in github. I thought, OAuth itself would be decentralized.

JH

Jonne Haß Sun 3 Feb 2013

Well, it got removed in the days of bad communication, so there isn't really anything to link at.

oAuth isn't decentralized, you have one service provider to which multiple consumers connect to, acting as a user. For every user a consumer has a special access token. Every consumer needs an identifier and a secret. Usually you obtain such an identifier and secret when you register your consumer at the service provider, for example at Twitter you create an "App" at https://dev.twitter.com/apps. In a decentralized environment you have no single authority to get an identifier and secret from, you have to do it for every installation of the software, each Diaspora pod would be a independent service provider. Obviously one can't do that manually, you need a way to register your app automatically. Tent does this similar (https://tent.io/docs/app-auth) to what we did, adding a bit of authenticity by requiring to specify the callback URLs at least, so once registered a third party can't easily fake your client. This approach comes to its limits if you think about mobile apps. As a client you need to keep track at which service providers you already registered and what the obtained identifiers and secrets are. With a mobile app you'd need to either create a consumer for each user or proxy everything through a centralized webservice, Bad implementations of that will quickly leak the secret and allow a third party again to more likely impersonate a consumer.

RF

Rasmus Fuhse Sun 3 Feb 2013

Thanx for explaining a little more. Now I got something to think about, hehe.

Sad, that github is losing these discussions. But on the other hand, we have loomio now.