Get started with App.net.

  Sign up now  
tomlee
    @tilgovi hello hello :) thanks for using frapp, I love hearing from users. I've been a little lazy recently, but I've got a couple of updates planned over the coming weeks.
    tomlee
      @xuedi You mean Frapp? Right, if you have a developer account that's where you need to drop your Client ID. :) I'm not yet convinced that publishing my own Client ID is "safe" as far as open source projects are concerned. Let me know if I can help further!
      tomlee
        @berg worse, all this is then linked to my client ID. You'd be forced to kill zombies on a per-access-token basis, or (more likely) I'd need to change the client ID, update & republish my app, notify all my users. That's bad. :) @oj
        tomlee
          @berg I understand it doesn't grant access to my dev acct, more troubling is e.g. spammer builds an Android app using my client ID, deploys it on the Play store. Lots of people download it. The spammer hits ADN with a bunch of crap from all those clients.
          tomlee
            @berg well there's nothing to stop somebody lifting the client ID, embedding it in their own app and using it to generate access tokens linked to my client_id. Which I'd be okay with, but if they're doing nefarious stuff it's linked to my dev account:( @oj
            tomlee
              @berg @mthurman it's come to my attention this should have been directed at you -- see my feed for more ranting on the topic :) Any thoughts/suggestions? I know it's early days wrt ADN and the API, but it's kinda paralysing wrt the open source work.
              tomlee
                @dalton ah, cheers -- sorry for the noise.
                tomlee
                  @oj @dalton @cortex looks like github uses *end user* username + password and HTTP Basic auth to generate tokens rather than some semi-secret ID embedded in the client. Much saner IMO :) http://developer.github.com/v3/oauth/#non-web-application-flow
                  tomlee
                    @cortex which I wouldn't necessarily care about, but if they were doing dodgey things with their client using my client_id (spam, fraud, whatever), I obviously don't want it being associated with my apps -- or worse, my ADN account.
                    tomlee
                      @cortex not sure if you've been following my stream, but I'm poking @dalton on the topic of client IDs for open source projects. Y'see, anybody could take that client ID, embed it in their own client & release it into the wild.
                      tomlee
                        @oj not sure if you've seen the auth docs, but see https://github.com/appdotnet/api-spec/blob/master/auth.md - see the Client-side Flow. Suggests you embed the client_id but keep the client_secret private. But you only need the client_id to get a token? :S
                        tomlee
                          @oj @dalton well as near as I can tell, there's nothing to stop you ripping a client_id out of any of the existing clients and get access tokens associated with those apps instead of your own.
                          tomlee
                            @dalton I'm working on several open source #ADN clients but a little uneasy about putting the client_id in the src code for the apps given somebody could take the key & generate access tokens against my #ADN app profile. Any thoughts here? Solved problem?
                            tomlee
                              Getting some sleep. One too many late nights this week. :) G'night folks.
                              tomlee
                                @cortex ah, I'm on 0.16.1. Must be a recent change.
                                tomlee
                                  @cortex my glib-2.0.vapi (/usr/share/vala-0.16/vapi) shows those last two parameters *should* have default values, but obviously not in your case. :( Another black mark against Vala.
                                  tomlee
                                    @cortex oh, and if you want a work-around: you may be able to modify that line of code to read like so: sb.append(GLib.Uri.escape_string("http://tomlee.co/oauth/application.php", GLib.Uri.RESERVED_CHARS_GENERIC_DELIMITERS, true));
                                    tomlee
                                      @cortex thanks for trying, sounds like you got pretty close. what does valac --version give you? Or what does the Version field from an "apt-cache show valac-0.16-vapi" give?
                                      tomlee
                                        @cdn :) you mean directly using an access token? Yeah, leaving the rubbish associated with acquiring an access token to apps built on top of it. Hopefully it's kinda-sorta obvious how that should work (but let me know if I can clarify)