On tir, 2012-10-02 at 09:50 +0200, Patrick Ohly wrote: > > I had some trouble with Google's API which turned out to be buggy, but > > I managed to work around it. > > Can you provide details? I'm currently at CalConnect, sitting a few > chairs away from Google developers who work on the GData API. I can try > to get them to look at these bugs.
Sure. I had originally wanted to register the application as a device (not because it is really a device, but because it would simplify certain automatic web page decoding). When a device attempts to use the tasks scope, the REST interface reports that the scope is invalid. This is apparently due to a missing "whitelist" at Google. Connecting as an application works, though, so I had to revert to this method. > > The code currently demonstrates that Google's requirement that users > > manually authorize applications to access their data can easily be > > circumvented, meaning that it provides a false sense of security. All > > you need to do is provide your Google username and password to an > > application, and it will be able to do anything with any of your > > Google data without you knowing any better. > > Your probably mean the two-factor login? Can you point me to the code > which circumvents that requirement and/or provide a high-level > description how that is done? It's relatively easy: first, the application opens a login page and identifies the login form. Then it fills the Email and Passwd entries with the user's Google username ([email protected]) and password and submits the form. The session now includes the Google login. Next, the application requests the page where the user authorizes it to access his or her data, then decodes the approval form and submits it. The functions that handle all this are called "login_to_gmail" and "authorize_application" and are both found in the file google-oauth2.c. > I have a hunch that you use the main username/password to create per-app > passwords. I don't think two-factor login is meant to protect against > that. As soon as someone has the main username/password, obviously the > door is wide open. Indeed. I had no idea there even was a per-app password. I wonder how many users are aware of that. > Both would be possible and desirable. Thanks. I'll probably look into the syntax of some widely used "X-blank" properties and see if I can use those. For example, if some of the Google Tasks-specific fields are also provided by Outlook, then it would probably make sense to just use Outlook's X-prop key and formatting. -- Ole Wolf Rødhættevej 4 • 9400 Nørresundby Telefon: 9632-0108 • Mobil: 2467-5526 • Skype: ole.wolf
signature.asc
Description: This is a digitally signed message part
_______________________________________________ SyncEvolution mailing list [email protected] http://lists.syncevolution.org/listinfo/syncevolution
