Hi Johannes, That makes sense. What you can do is expose a page on your site that collects opensocial ids and returns single-use upload "token" values. So you application flow becomes something like:
1.) Application loads and does a signed makeRequest to this page 2.) Your server verifies the ID and returns a random one time use token, something like a random GUID. It stores this token in a database, along with the opensocial user id. 3.) The application gets this value as a response and writes it as a hidden field in the upload form. 4.) When the user uploads the file, they POST the file contents back to your server, along with the token in the hidden field. 5.) Your server looks up the token and assigns the corresponding opensocial ID to the uploaded file. Then it deletes the token from the database so that it cannot be used again. Hope this helps, ~Arne On Wed, Apr 2, 2008 at 11:25 PM, jfahrenkrug <[EMAIL PROTECTED]> wrote: > > Hi Arne, > > Thank you for your reply. > You are absolutely right: signing the file doesn't make sense. > What I actually want is having the user ID signed but not the file and > to have both in the same request. > The reason behind it is that I want to verify that it's REALLY the > supplied user who is uploading the file, you know? > > Another possibily would maybe be to use <Content type="url"> for the > gadget, but is that even supported yet? > > - Johannes > > On Apr 2, 6:14 pm, "Arne Roomann-Kurrik" <[EMAIL PROTECTED]> > wrote: > > Hi Johannes, > > > > Signing such a large piece of data would be too costly and wouldn't > be > > possible from only javascript, for the reason you described. Your best > bet > > is to make a form that POSTs the data to your remote server and handle > it > > like normal. > > > > Why do you need the file to be signed? It doesn't actually get you > > anything, since the contents of the file are still supplied by the end > > user. Signing is only really useful for parameters that the container > > inserts (like ID numbers of people) so that end users cannot tamper with > > them. > > > > ~Arne > > > > > > > > On Wed, Apr 2, 2008 at 1:21 AM, jfahrenkrug <[EMAIL PROTECTED]> > wrote: > > > > > Hi, > > > > > I know that fileuploads work from any google gadget. You just use a > > > normal html file upload form with an action url of your choice. > > > What if I want my file upload request to be OAuth-signed? Is that > > > possible? Would I have to use makeRequest for this? I'm talking about > > > big file uploads, possibly several hundred megs. I'm sure makeRequest > > > has a post-data size limit. And furthermore, I'd have to access the > > > contents of the local file from javascript to use it with makeRequest > > > which wouldn't work anyway for security reasons, right? > > > > > So I guess I just answered my own question, but I'd still like to hear > > > from anyone who has an idea how to solve this. > > > > > -- Johannes > > > > -- > > OpenSocial IRC - irc://irc.freenode.net/opensocial > > -- > http://blog.springenwerk.com > > > -- OpenSocial IRC - irc://irc.freenode.net/opensocial --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
