File upload and OAuth
5 views
Skip to first unread message
jfahrenkrug
Apr 2, 2008, 4:21:15 AM4/2/08
to OpenSocial - OpenSocial Application Development
Hi,
I know that fileuploads work from any google gadget. You just use a
normal html file upload form with an action url of your choice.
What if I want my file upload request to be OAuth-signed? Is that
possible? Would I have to use makeRequest for this? I'm talking about
big file uploads, possibly several hundred megs. I'm sure makeRequest
has a post-data size limit. And furthermore, I'd have to access the
contents of the local file from javascript to use it with makeRequest
which wouldn't work anyway for security reasons, right?
So I guess I just answered my own question, but I'd still like to hear
from anyone who has an idea how to solve this.
-- Johannes
I know that fileuploads work from any google gadget. You just use a
normal html file upload form with an action url of your choice.
What if I want my file upload request to be OAuth-signed? Is that
possible? Would I have to use makeRequest for this? I'm talking about
big file uploads, possibly several hundred megs. I'm sure makeRequest
has a post-data size limit. And furthermore, I'd have to access the
contents of the local file from javascript to use it with makeRequest
which wouldn't work anyway for security reasons, right?
So I guess I just answered my own question, but I'd still like to hear
from anyone who has an idea how to solve this.
-- Johannes
Arne Roomann-Kurrik
Apr 2, 2008, 12:14:05 PM4/2/08
to opensoc...@googlegroups.com
Hi Johannes,
Signing such a large piece of data would be too costly and wouldn't be possible from only javascript, for the reason you described. Your best bet is to make a form that POSTs the data to your remote server and handle it like normal.
Why do you need the file to be signed? It doesn't actually get you anything, since the contents of the file are still supplied by the end user. Signing is only really useful for parameters that the container inserts (like ID numbers of people) so that end users cannot tamper with them.
~Arne--
OpenSocial IRC - irc://irc.freenode.net/opensocial
Signing such a large piece of data would be too costly and wouldn't be possible from only javascript, for the reason you described. Your best bet is to make a form that POSTs the data to your remote server and handle it like normal.
Why do you need the file to be signed? It doesn't actually get you anything, since the contents of the file are still supplied by the end user. Signing is only really useful for parameters that the container inserts (like ID numbers of people) so that end users cannot tamper with them.
~Arne
OpenSocial IRC - irc://irc.freenode.net/opensocial
jfahrenkrug
Apr 3, 2008, 2:25:58 AM4/3/08
to OpenSocial - OpenSocial Application Development
Hi Arne,
Thank you for your reply.
You are absolutely right: signing the file doesn't make sense.
What I actually want is having the user ID signed but not the file and
to have both in the same request.
The reason behind it is that I want to verify that it's REALLY the
supplied user who is uploading the file, you know?
Another possibily would maybe be to use <Content type="url"> for the
gadget, but is that even supported yet?
- Johannes
On Apr 2, 6:14 pm, "Arne Roomann-Kurrik" <api.kur...@google.com>
wrote:
--
http://blog.springenwerk.com
Thank you for your reply.
You are absolutely right: signing the file doesn't make sense.
What I actually want is having the user ID signed but not the file and
to have both in the same request.
The reason behind it is that I want to verify that it's REALLY the
supplied user who is uploading the file, you know?
Another possibily would maybe be to use <Content type="url"> for the
gadget, but is that even supported yet?
- Johannes
On Apr 2, 6:14 pm, "Arne Roomann-Kurrik" <api.kur...@google.com>
wrote:
http://blog.springenwerk.com
Arne Roomann-Kurrik
Apr 4, 2008, 2:59:27 PM4/4/08
to opensoc...@googlegroups.com
Hi Johannes,
That makes sense. What you can do is expose a page on your site that collects opensocial ids and returns single-use upload "token" values. So you application flow becomes something like:
1.) Application loads and does a signed makeRequest to this page
2.) Your server verifies the ID and returns a random one time use token, something like a random GUID. It stores this token in a database, along with the opensocial user id.
3.) The application gets this value as a response and writes it as a hidden field in the upload form.
4.) When the user uploads the file, they POST the file contents back to your server, along with the token in the hidden field.
5.) Your server looks up the token and assigns the corresponding opensocial ID to the uploaded file. Then it deletes the token from the database so that it cannot be used again.
Hope this helps,
~Arne
That makes sense. What you can do is expose a page on your site that collects opensocial ids and returns single-use upload "token" values. So you application flow becomes something like:
1.) Application loads and does a signed makeRequest to this page
2.) Your server verifies the ID and returns a random one time use token, something like a random GUID. It stores this token in a database, along with the opensocial user id.
3.) The application gets this value as a response and writes it as a hidden field in the upload form.
4.) When the user uploads the file, they POST the file contents back to your server, along with the token in the hidden field.
5.) Your server looks up the token and assigns the corresponding opensocial ID to the uploaded file. Then it deletes the token from the database so that it cannot be used again.
Hope this helps,
~Arne
jfahrenkrug
Apr 6, 2008, 9:51:42 AM4/6/08
to OpenSocial - OpenSocial Application Development
Hi Arne,
Thanks a lot for this. That sounds like a very good solution. I'll let
you know how it works out!
- Johannes
On Apr 4, 8:59 pm, "Arne Roomann-Kurrik" <api.kur...@google.com>
wrote:
> Hi Johannes,
>
--
http://springenwerk.com
Thanks a lot for this. That sounds like a very good solution. I'll let
you know how it works out!
- Johannes
On Apr 4, 8:59 pm, "Arne Roomann-Kurrik" <api.kur...@google.com>
wrote:
> Hi Johannes,
>
http://springenwerk.com
Reply all
Reply to author
Forward
0 new messages