I found this snippet from Chrometophone-android DeviceRegistrar.java
// Register device with server DefaultHttpClient client = new DefaultHttpClient(); String continueURL = BASE_URL;
URI uri = new URI(AUTH_URL + "?continue=" + URLEncoder.encode(continueURL, "UTF-8") + "&auth=" + authToken); HttpGet method = new HttpGet(uri); // No redirect following - continue is not used final HttpParams params = new BasicHttpParams(); HttpClientParams.setRedirecting(params, false); method.setParams(params);
HttpResponse res = client.execute(method); Header[] headers = res.getHeaders("Set-Cookie"); if (res.getStatusLine().getStatusCode() != 302 || headers.length == 0) { return res; } String ascidCookie = null; for (Header header: headers) { if (header.getValue().indexOf("ACSID=") >=0) { // let's parse it String value = header.getValue(); String[] pairs = value.split(";"); ascidCookie = pairs[0]; } }a
the snippet shows us before android app send Registration ID to 3rd party server, we need fetch the current account cookie from Google Account server, here is what i figure:
1. get current account TOKEN (AuthSub token) from AccountManager 2. start a request to server, which hosting on GAE**, with this kind of URL: https://yourapp.appspot.com/_ah/login?continue=http://localhost/&auth= TOKEN 3. fetch cookie from server, and use that authentication cookie in all subsequent requests
here is my problem, my server will not hosting on GAE, so i need implement all the account auth stuff myself. the android app also need to send a request to get account cookie from my server, but how should i know if this request is valid or not a fake request ? what's can i do with the email and token, can i using this token to get the related account email?
This is a late replay and perhaps no longer needed.
I wrote the application server using Python and am so far hosting it
on my local machine. The Client Login token is fetched in a factory
class. The code is below:
The get_token method will return the token you need to insert into the
request sent to the C2DM service hosted by Google. What is required is
that your server has internet access.
> I found this snippet from Chrometophone-android DeviceRegistrar.java
> // Register device with server
> DefaultHttpClient client = new DefaultHttpClient();
> String continueURL = BASE_URL;
> URI uri = new URI(AUTH_URL + "?continue=" +
> URLEncoder.encode(continueURL, "UTF-8") +
> "&auth=" + authToken);
> HttpGet method = new HttpGet(uri);
> // No redirect following - continue is not used
> final HttpParams params = new BasicHttpParams();
> HttpClientParams.setRedirecting(params, false);
> method.setParams(params);
> the snippet shows us before android app send Registration ID to 3rd party
> server, we need fetch the current account cookie from Google Account server,
> here is what i figure:
> 1. get current account TOKEN (AuthSub token) from AccountManager
> 2. start a request to server, which hosting on GAE**, with this kind of
> URL:
> https://yourapp.appspot.com/_ah/login?continue=http://localhost/&auth= > TOKEN
> 3. fetch cookie from server, and use that authentication cookie in all
> subsequent requests
> here is my problem, my server will not hosting on GAE, so i need implement
> all the account auth stuff myself. the android app also need to send a
> request to get account cookie from my server, but how should i know if this
> request is valid or not a fake request ? what's can i do with the email and
> token, can i using this token to get the related account email?
my server is powered by ROR, and build my user system myself. so user's email is necessary, however, bad guy can fake a sign-up request using email which may not belong to him. Fortunately, i can use token to check if the email is valid via GData API
On Wed, Sep 8, 2010 at 3:27 PM, Tomas Malmsten <c...@tomasmalmsten.com>wrote:
> This is a late replay and perhaps no longer needed.
> I wrote the application server using Python and am so far hosting it > on my local machine. The Client Login token is fetched in a factory > class. The code is below:
> class ClientLoginTokenFactory(): > _token = None
> The get_token method will return the token you need to insert into the > request sent to the C2DM service hosted by Google. What is required is > that your server has internet access.
> On Aug 18, 9:12 am, Vincent Tsao <caojunvinc...@gmail.com> wrote: > > I found this snippet from Chrometophone-android DeviceRegistrar.java
> > // Register device with server > > DefaultHttpClient client = new DefaultHttpClient(); > > String continueURL = BASE_URL;
> > URI uri = new URI(AUTH_URL + "?continue=" + > > URLEncoder.encode(continueURL, "UTF-8") + > > "&auth=" + authToken); > > HttpGet method = new HttpGet(uri); > > // No redirect following - continue is not used > > final HttpParams params = new BasicHttpParams(); > > HttpClientParams.setRedirecting(params, false); > > method.setParams(params);
> > the snippet shows us before android app send Registration ID to 3rd party > > server, we need fetch the current account cookie from Google Account > server, > > here is what i figure:
> > 1. get current account TOKEN (AuthSub token) from AccountManager > > 2. start a request to server, which hosting on GAE**, with this kind > of > > URL:
> > here is my problem, my server will not hosting on GAE, so i need > implement > > all the account auth stuff myself. the android app also need to send a > > request to get account cookie from my server, but how should i know if > this > > request is valid or not a fake request ? what's can i do with the email > and > > token, can i using this token to get the related account email?
I should note that it's recommended to use ClientLogin outside of the hosted app, so the server only has access to the token. The token can only be used for sending messages.
Also in the response you should check the headers for an updated token.
Costin
On Wed, Sep 8, 2010 at 12:27 AM, Tomas Malmsten <c...@tomasmalmsten.com>wrote:
> This is a late replay and perhaps no longer needed.
> I wrote the application server using Python and am so far hosting it > on my local machine. The Client Login token is fetched in a factory > class. The code is below:
> class ClientLoginTokenFactory(): > _token = None
> The get_token method will return the token you need to insert into the > request sent to the C2DM service hosted by Google. What is required is > that your server has internet access.
> On Aug 18, 9:12 am, Vincent Tsao <caojunvinc...@gmail.com> wrote: > > I found this snippet from Chrometophone-android DeviceRegistrar.java
> > // Register device with server > > DefaultHttpClient client = new DefaultHttpClient(); > > String continueURL = BASE_URL;
> > URI uri = new URI(AUTH_URL + "?continue=" + > > URLEncoder.encode(continueURL, "UTF-8") + > > "&auth=" + authToken); > > HttpGet method = new HttpGet(uri); > > // No redirect following - continue is not used > > final HttpParams params = new BasicHttpParams(); > > HttpClientParams.setRedirecting(params, false); > > method.setParams(params);
> > the snippet shows us before android app send Registration ID to 3rd party > > server, we need fetch the current account cookie from Google Account > server, > > here is what i figure:
> > 1. get current account TOKEN (AuthSub token) from AccountManager > > 2. start a request to server, which hosting on GAE**, with this kind > of > > URL:
> > here is my problem, my server will not hosting on GAE, so i need > implement > > all the account auth stuff myself. the android app also need to send a > > request to get account cookie from my server, but how should i know if > this > > request is valid or not a fake request ? what's can i do with the email > and > > token, can i using this token to get the related account email?
