upload track - webapp

[squared99]

Hi Guys,

Question regarding track uploads from a web application.

In this situation I have OAuth access all set up and working such that
a user can authorize, access and modify etc their soundcloud account
directly from the web application using the apis. That is all fine.

Where I am having a bit of trouble is in understanding the process
flow for a file upload.
Is it possible to upload via the browser directly to the users
soundcloud account from the web application, similar to the way that
the youtube browser uploading works?
http://code.google.com/apis/youtube/2.0/developers_guide_protocol.html#Browser_based_uploading,

ie I dont have to get them to upload a file to us first, but can
simply build a form that allows them to upload directly to their
soundcloud account and redirects back to the web app with status
information on the upload.

Or am i going to have to get the file uploaded to our server first and
then bounce it over to their soundcloud account?

Any insights appreciated. I'm working in PHP btw.

Cheers

Jeff

[Hannes Tydén]

Hi Jeff!

On Tue, Nov 17, 2009 at 6:30 AM, squared99 <squa...@gmail.com> wrote:
> Where I am having a bit of trouble is in understanding the process
> flow for a file upload.
> Is it possible to upload via the browser directly to the users
> soundcloud account from the web application, similar to the way that
> the youtube browser uploading works?
> http://code.google.com/apis/youtube/2.0/developers_guide_protocol.html#Browser_based_uploading,
>
> ie I dont have to get them to upload a file to us first, but can
> simply build a form that allows them to upload directly to their
> soundcloud account and redirects back to the web app with status
> information on the upload.
>

Yes, you can upload directly to our host, but not completely without risk.

We support plain vanilla OAuth 1.0(a) and use multipart/form-data
mimetype encoding for receiving files. The OAuth specification says
that multipart/form-data POST requests should include any request body
parameters when generating the request signature
(http://oauth.net/core/1.0a#anchor13). This allows for "pre-signed"
file upload requests. You simple create a mock POST request to the
/tracks resource and extract the oauth parameters and use them to
populate the form fields.

Though this must be done with precaution. The oauth parameters in the
form could be extracted for malicious purposes.

> Or am i going to have to get the file uploaded to our server first and
> then bounce it over to their soundcloud account?

This would be the more secure approach.

> Any insights appreciated. I'm working in PHP btw.

Are you using http://github.com/mptre/php-soundcloud or do you hack
your custom solution?

Cheers,
Hannes

--
Hannes Tydén
Developer, SoundCloud

Mail: han...@soundcloud.com
Skype: hannestyden
Phone: +49 157 7471 6101
Rosenthalerstr. 13
10119 Berlin, DE

What is SoundCloud?
http://soundcloud.com/tour

[squared99]

Hi Hannes

It looks like I am using the same oauth.php library, but have written
my own soundcloud module using some generic base classes I built to
hook into differing oauth services.

I am debating uploading and bouncing, as you say it may be more
secure. I also understand the example more thoroughly as far as
sending and getting information back from the request.

Thanks, your feedback has been very helpful. In the example you give
below with the mock POST etc. How would you specify where the user
would end up after the file has been posted etc. In my bit of
experimenting I do believe I posted a signed request, but ended up on
the tracks request page (since that was the destination of the form
post) with the xml response from the request. It looked like it was
successful but I would need to send the user back to our site somehow.

Perhaps I have gap in my thinking here.

Cheers!

Jeff

On Nov 17, 11:47 pm, Hannes Tydén <han...@soundcloud.com> wrote:
> Hi Jeff!
>

> On Tue, Nov 17, 2009 at 6:30 AM, squared99 <square...@gmail.com> wrote:
> > Where I am having a bit of trouble is in understanding the process
> > flow for a file upload.
> > Is it possible to upload via the browser directly to the users
> > soundcloud account from the web application, similar to the way that
> > the youtube browser uploading works?

> >http://code.google.com/apis/youtube/2.0/developers_guide_protocol.htm...,

>
> > ie I dont have to get them to upload a file to us first, but can
> > simply build a form that allows them to upload directly to their
> > soundcloud account and redirects back to the web app with status
> > information on the upload.
>
> Yes, you can upload directly to our host, but not completely without risk.
>
> We support plain vanilla OAuth 1.0(a) and use multipart/form-data
> mimetype encoding for receiving files. The OAuth specification says
> that multipart/form-data POST requests should include any request body
> parameters when generating the request signature
> (http://oauth.net/core/1.0a#anchor13). This allows for "pre-signed"
> file upload requests. You simple create a mock POST request to the
> /tracks resource and extract the oauth parameters and use them to
> populate the form fields.
>
> Though this must be done with precaution. The oauth parameters in the
> form could be extracted for malicious purposes.
>
> > Or am i going to have to get the file uploaded to our server first and
> > then bounce it over to their soundcloud account?
>
> This would be the more secure approach.
>
> > Any insights appreciated. I'm working in PHP btw.
>

> Are you usinghttp://github.com/mptre/php-soundcloudor do you hack