authentication and working within another app
23 views
Skip to first unread message
Alexandre Hannud Abdo
Apr 9, 2013, 8:24:09 PM4/9/13
to allou...@googlegroups.com
Ni! there,
I'm running the pairwise API and I'm trying to figure out the simplest
way to let only people who are authenticated in another application
vote, and associate an identity from that application with each vote in
a way that can't be tampered with.
Has anybody done something similar to that?
The specific application I'm thinking of is called Ushahidi, it's a php
application <http://www.ushahidi.com/products/ushahidi-platform>.
I've been considering keeping the pairwise-api off the Internet and
modifying the application to not only include an interface but also act
as an intermediary for it, thus including the id in the extra info
field.
The other thing that came to mind would be to expose the pairwise-api
and have some javascript in the interface talk directly to it, but then
I can't figure out how to record the id without leaving holes that would
allow others to fake them, not without doing some more complicated
things with cookies and having the api check with another database.
What do you think?
Any tips are welcome,
Thanks!
ale
.~´
I'm running the pairwise API and I'm trying to figure out the simplest
way to let only people who are authenticated in another application
vote, and associate an identity from that application with each vote in
a way that can't be tampered with.
Has anybody done something similar to that?
The specific application I'm thinking of is called Ushahidi, it's a php
application <http://www.ushahidi.com/products/ushahidi-platform>.
I've been considering keeping the pairwise-api off the Internet and
modifying the application to not only include an interface but also act
as an intermediary for it, thus including the id in the extra info
field.
The other thing that came to mind would be to expose the pairwise-api
and have some javascript in the interface talk directly to it, but then
I can't figure out how to record the id without leaving holes that would
allow others to fake them, not without doing some more complicated
things with cookies and having the api check with another database.
What do you think?
Any tips are welcome,
Thanks!
ale
.~´
Luke Baker
Apr 10, 2013, 9:18:48 AM4/10/13
to allou...@googlegroups.com
On Tue, Apr 9, 2013 at 8:24 PM, Alexandre Hannud Abdo
<ab...@member.fsf.org> wrote:
> I've been considering keeping the pairwise-api off the Internet and
> modifying the application to not only include an interface but also act
> as an intermediary for it, thus including the id in the extra info
> field.
Alexandre,
<ab...@member.fsf.org> wrote:
> I've been considering keeping the pairwise-api off the Internet and
> modifying the application to not only include an interface but also act
> as an intermediary for it, thus including the id in the extra info
> field.
The All Our Ideas site acts much like this. Users of the All Our Ideas
only connect to the All Our Ideas code which in turn makes API
requests to the pairwise-api server.
I could easily envision a situation where your application is a client
to the pairwise-api. Your application would enforce the login
restrictions that you need to enforce. Furthermore, to associate votes
with particular users in your application you can pass along a
visitor_identifier of your choosing to help you associate those votes
with the user in your application. If you have a primary key in your
user table for your application, you could pass that key along as the
visitor_identifier. Since this visitor_identifier is being sent from
your application to the pairwise-api then users shouldn't be able to
tamper with it.
In the API docs[1], you can see that both the vote API call and the
question/show call accept a visitor_identifier.
https://github.com/allourideas/pairwise-api/wiki/prompts-vote
https://github.com/allourideas/pairwise-api/wiki/questions-show
There are other calls that accept the visitor_identifier parameter as well.
Does that help answer your question?
Luke
[1] https://github.com/allourideas/pairwise-api/wiki/API-Documentation
Reply all
Reply to author
Forward
0 new messages