Howdy!
> I have a weather web API (http://www.worldwildweather.com/api)
> intended among other things for use in mashups. Since I want to be
> able to have some degree of control of the usage of this service I
> would like to implement something like the Google Maps API keys. This
> key is tied to a specific domain name. It would probably be overkill
> to use something like OAuth since my servers do no contain any private
> user information.
>
> I am wondering how the Google Maps API keys work. Have any of you
> tried to implement something similar or just tried to understand how
> it works?
There are two ways, one convenient the other secure, to do custom API
keys.
If you are willing to have a database table, you can store a UUID
"key" and domain name mapping (as well as referencing a user, etc. so
people can find their keys and you can track who is using what) and
perform a lookup on that key (I'd suggest using something like
memcached for faster lookup if you anticipate your API to be popular)
then check the referrer of the request. Referrers, however, can be
spoofed. :/
The easier is to have a secret key (static or formulaic) and hash it
with the domain part (or deeper, like Google does) of the referrer,
then check the hash. E.g. with a secret key of "my secret key" and a
referrer domain of "example.com":
>>> from hashlib import sha256
>>> hash = sha256("my secret key" + "|" + "example.com")
>>> hash.hexdigest()
'383b35c68c0aab25c5f0eb42b7b9149931e265be9f9db94d8b000b83b8915662'
If the key supplied via GET/POST matches, the user is valid. I prefer
using a database table. ;^)
You can actually encode a lot more information in the key, if you
want. Combine HMAC (to prevent people fiddling with the key), JSON
(or any other object encoder, you could use bencode or Python pickles,
too), and Base64 encoding for extra fun.
— Alice.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---
