phurni / authlogic_api Goto Github PK

Hey, MD5 hashing is considered insecure, and therefore this library is also insecure. You should switch to a stronger hashing scheme.

Hi

From what I could understand, this plugin intends to use authlogic's authentication process but while using api_key/api_secret instead of login/password (correct me if I'm wrong).

But what is exactly the purpose of this line?

api_key_param 'app_key'

I keep getting a "undefined method `api_key_param'" error if I use it.

Without it the authentication is still not working.

My question is how make requests?

I understand that I have to put app_key in the query string, like:

http://localhost:3000/posts?app_key=key

But my secret will be exposed too? In an ajax request, for example, the secret will be exposed on javascript code on a block to hash it with params and app_key?

Do you have some examples for consuming a resource?

Thanks!

Hello phurni,
I was trying to use the authlogic_api plugin and have created the model and session but I don't know how to validate the created session (I am newby to RoR).
Do I have to create a new session when an action on a controller is called? and if so, how can I do to make it validate using the validate_by_api and not validate_by_password
If you can send me an example of implementation it would be very very helpful to me
I am really in an impass here and seek for your help as soon as possible
Thanks in advance

Thanks for making/posting this!

Is there somewhere I can read up on this approach to authenticating API's? I saw Facebook uses something similar with their apps) but I don't feel like I quite understand it yet. Specifically...

If I understand the server side right...

The app_key never goes across the wire, so when it gets to the server, the server recomputes the signature using it's own app_key and makes sure it matches.

Ok I get this....but

1. Why is the app_key used only in the GET and not in the POST then?
2. Can't someone who intercepts your GET send the exact same message again, impersonating you? Granted this isn't quite as bad - they can only do over again a post you already made (replay attack). But still, could be used to write a bunch of stuff to someones account.

Regarding #2, I'm assuming this is why Facebook passes the microtime (num milliseconds) as an additional param? So maybe that is an additional precaution not used here.

Finally...is this a good way to authenticate BOTH a user and an app? I guess this is what I'm really trying to do. Haven't quite wrapped my head around it though.

Thanks again!
Brian

In Rails 3, authlogic_api throws SystemStackError (stack level too deep) when saving acts_as_authentic models. This error occurs both for User models which use only core authlogic (rather than authlogic_api) as well as for Client models which require authlogic_api. Removing authlogic_api but keeping authlogic resolves this error for User models.