Hi Arne, Thanks a lot for this. That sounds like a very good solution. I'll let you know how it works out!
- Johannes On Apr 4, 8:59 pm, "Arne Roomann-Kurrik" <[EMAIL PROTECTED]> wrote: > Hi Johannes, > > That makes sense. What you can do is expose a page on your site that > collects opensocial ids and returns single-use upload "token" values. So > you application flow becomes something like: > > 1.) Application loads and does a signed makeRequest to this page > 2.) Your server verifies the ID and returns a random one time use token, > something like a random GUID. It stores this token in a database, along > with the opensocial user id. > 3.) The application gets this value as a response and writes it as a hidden > field in the upload form. > 4.) When the user uploads the file, they POST the file contents back to your > server, along with the token in the hidden field. > 5.) Your server looks up the token and assigns the corresponding opensocial > ID to the uploaded file. Then it deletes the token from the database so > that it cannot be used again. > > Hope this helps, > ~Arne > > > > On Wed, Apr 2, 2008 at 11:25 PM, jfahrenkrug <[EMAIL PROTECTED]> wrote: > > > Hi Arne, > > > Thank you for your reply. > > You are absolutely right: signing the file doesn't make sense. > > What I actually want is having the user ID signed but not the file and > > to have both in the same request. > > The reason behind it is that I want to verify that it's REALLY the > > supplied user who is uploading the file, you know? > > > Another possibily would maybe be to use <Content type="url"> for the > > gadget, but is that even supported yet? > > > - Johannes > > > On Apr 2, 6:14 pm, "Arne Roomann-Kurrik" <[EMAIL PROTECTED]> > > wrote: > > > Hi Johannes, > > > > Signing such a large piece of data would be too costly and wouldn't > > be > > > possible from only javascript, for the reason you described. Your best > > bet > > > is to make a form that POSTs the data to your remote server and handle > > it > > > like normal. > > > > Why do you need the file to be signed? It doesn't actually get you > > > anything, since the contents of the file are still supplied by the end > > > user. Signing is only really useful for parameters that the container > > > inserts (like ID numbers of people) so that end users cannot tamper with > > > them. > > > > ~Arne > > > > On Wed, Apr 2, 2008 at 1:21 AM, jfahrenkrug <[EMAIL PROTECTED]> > > wrote: > > > > > Hi, > > > > > I know that fileuploads work from any google gadget. You just use a > > > > normal html file upload form with an action url of your choice. > > > > What if I want my file upload request to be OAuth-signed? Is that > > > > possible? Would I have to use makeRequest for this? I'm talking about > > > > big file uploads, possibly several hundred megs. I'm sure makeRequest > > > > has a post-data size limit. And furthermore, I'd have to access the > > > > contents of the local file from javascript to use it with makeRequest > > > > which wouldn't work anyway for security reasons, right? > > > > > So I guess I just answered my own question, but I'd still like to hear > > > > from anyone who has an idea how to solve this. > > > > > -- Johannes > > > > -- > > > OpenSocial IRC - irc://irc.freenode.net/opensocial > > > -- > >http://blog.springenwerk.com > > -- > OpenSocial IRC - irc://irc.freenode.net/opensocial -- http://springenwerk.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
