0

I'm think something like Facebook apps here. User generated pieces of code that people can write to interact with my app.

I understand how an authenticated API works, but this seems a little more complicated because not only does the APP have to authenticate itself (with a regular api-key) but the USER using the app has to be authenticated somehow too, without giving the app free reign.

I've been reading a bit here to see how FB does it: http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application

And it looks like you have to pass a signature in addition to the api-key along with every call, but I'm having trouble wrapping my head around how this gets generated and used on the other end (my server).

Figure there must be a simple explanation of this out there? Thanks!

P.S. I'm building a Rails app if there are any applicable gems/plugins.

Brian Armstrong
  • 19,707
  • 17
  • 115
  • 144
  • Only some calls (things that act on behalf of a user, mostly) require a session key -- there a number of calls that work fine without. The actual method Facebook uses to hand the session key off to different applications differ on the type/setup of the application. The session key is only temporary (one hour) and is only sent to "allowed" applications. The question deserves more good (non SO?) research. –  Apr 02 '10 at 05:15

2 Answers2

0

This may be what I need:

http://github.com/phurni/authlogic_api

Brian Armstrong
  • 19,707
  • 17
  • 115
  • 144
  • The top answer here was also revealing: http://stackoverflow.com/questions/247110/looking-for-suggestions-for-building-a-secure-rest-api-within-ruby-on-rails – Brian Armstrong Apr 02 '10 at 07:25
0

Did you have any success with authlogic_api? I'm working on the server-side for a Steam game, where users are logged in through Steam, so I'm only responding to REST calls from the client (no user login required). The rdocs for authlogic_api give some brief set-up info, but I'm struggling with what to do in the application_controller to restrict access; essentially the equivalent of this code from the authlogic example:

http://github.com/binarylogic/authlogic_example/blob/5819a13477797d758cb6871f475ed1c54bf8a3a7/app/controllers/application_controller.rb

zinndesign
  • 188
  • 2
  • 11
  • I ended up going a different route on this project, so not sure - it may have worked. Sorry I couldn't be more help! Making a Steam game sounds pretty fun though. – Brian Armstrong Jun 24 '10 at 17:50
  • Worked well in the end. Details here for anyone who stumbles across this... http://stackoverflow.com/questions/3111869/using-authlogic-api-for-rails-rest-api-access – zinndesign Aug 18 '10 at 15:59