Loading Profile...
Send the app key with custom URL updates
You guys should send the user's application key along with POST requests to the custom URL. I'm writing a WordPress plugin that displays the user's current status, but it would be more secure to have the user input his/her app key in the settings page for my plugin (in the WP admin).
Right now I'm just renaming the Ping.fm beacon script (the custom URL endpoint) to a random string and telling the user to copy/paste into Ping.fm's custom URL field. The string is really random using PHP's uniqid() function with a random salt and additional entropy, and then taking an MD5 hash of that mess, but still...
Comparing app keys is the right way to do it. :-)
Right now I'm just renaming the Ping.fm beacon script (the custom URL endpoint) to a random string and telling the user to copy/paste into Ping.fm's custom URL field. The string is really random using PHP's uniqid() function with a random salt and additional entropy, and then taking an MD5 hash of that mess, but still...
Comparing app keys is the right way to do it. :-)
I’m hopeful
1
person likes this idea
I like this idea!
Tell me when this idea gets some attention.
The more people who like this idea, the more it gets noticed.
The more people who like this idea, the more it gets noticed.
-
Inappropriate?We discussed this idea, but the application key is only for posting to ping.fm. Even if we sent it to you in the post data, the user would also have to give it to you manually before it would work so you enter it in your own database for comparison. This adds a step for the user to perform and complicates the process for them. We would also have to add a checkbox (or some option) to include the application key (for security reasons).
The way you are doing it now is the best. You give the user the complete url, including their custom key, then they can enter it easily in one paste. You will be able to associate their key when it comes in since you create it to begin with.
I’m a custom url
-
Inappropriate?Right, but there's still one thing I don't like about my solution, and that's the fact that many shared hosts might not have high enough file permissions set for the Apache/webserver user. If renaming the endpoint file is impossible, anyone who knows that a) the user is running WordPress and b) the user is using my plugin could POST status updates to that person's site. Not good, obviously.
Using the app key would take away that limitation without having to tell people that they might need to drop down to the command line and start chmod'ing things. And we all know how dangerous Linux is in the hands of the people... :-)
Matt -
Inappropriate?Gah. I don't know what I was thinking yesterday. It was the end of the work week, and my mind was mush from staring at the Postgres prompt all day. Everything is fine now. I'm sending the unique token through the URL instead of trying to POST to a unique filename. You win some, you lose some.
Now I'm just waiting for my subversion account at the WordPress plugin directory, and then I'll release this little monster to the world. See it in action at my blog: http://mattjacob.com
I’m stupid
-
Inappropriate?haha ok cool.. i wasn't sure how to reply. We might have a 3rd party app/url gallery someday.. put a comment in the developer forum when you have it done.
I’m a custom url
EMPLOYEE
