darael: Black lines on a white background. A circle, with twenty-one straight lines connecting seven equally spaced points. (Default)
Darael ([personal profile] darael) wrote in [site community profile] dw_dev2014-04-20 01:53 am
  • Add Memory
  • Share This Entry
  • Current Mood: optimistic
Entry tags:

On clients and APIs

Dreamwidth's APIs are poorly documented (people basically have to work off docs for old versions of LJ's APIs). They're also missing key features, like comment handling for more than backups.

I've been told there have been "some internal conversations about deprecating the XML-RPC API -- keeping it for backwards compatability, but moving to a much more modern second-gen API", but that nobody has had both the time and the inclination to work on designing such a thing.

Well, this is me, volunteering. To that end, I'm looking for input on what exactly such a new API needs to provide, and whether there's a preferred underlying technology to build on (exempli gratia, stick with XML-RPC? Change to SOAP? Use JSON? RESTful or not? et cetera). What I'm getting at here is that I'm entirely happy to take point, as it were, and to make decisions (especially where there's little or no consensus and someone has to make the call), draw up specs, write docs, and so forth, but the result is highly unlikely to be a really useful API unless I get input from more sources than my own experience and looks at the code.

At this stage, therefore, I want everything you, the reader, have to say on the subject. Use cases especially.

Go.
Flat | Top-Level Comments Only
andrewducker: (Default)

[personal profile] andrewducker 2014-04-20 10:52 am (UTC)(link)
Also: OAuth.

At the moment, for the users who use my web-app to post to DW, I have to store their actual password. This is...not good.
darael: Black lines on a white background. A circle, with twenty-one straight lines connecting seven equally spaced points. (Default)

[personal profile] darael 2014-04-20 11:30 am (UTC)(link)
I am entirely behind this. Caching passwords is bad. A good API should enable an app to store an application-specific and account-specific auth token, and OAuth is an extant, well-defined protocol for doing just that.
fu: Close-up of Fu, bringing a scoop of water to her mouth (Default)

[personal profile] fu 2014-04-22 07:33 am (UTC)(link)
Agreed.
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2014-04-20 08:03 pm (UTC)(link)

Someone else is working on implementing OAuth!

darael: Black lines on a white background. A circle, with twenty-one straight lines connecting seven equally spaced points. (Default)

[personal profile] darael 2014-04-20 08:24 pm (UTC)(link)

Good. It can be the preferred authentication mechanism for YAAPI (I am using that name now and the only way to stop me is to come up with a better one).

denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2014-04-20 08:28 pm (UTC)(link)

*snerk* I am not going to fight you on it! We are Perl people, after all ;)

pauamma: Cartooney crab wearing hot pink and acid green facemask holding drink with straw (Default)

[personal profile] pauamma 2014-04-20 09:30 pm (UTC)(link)
TMTOAPITDI! (Does DW still support the flat API?)
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2014-04-20 09:33 pm (UTC)(link)

I think so! At least I can't remember ever killing it ;)

andrewducker: (Default)

[personal profile] andrewducker 2014-04-20 08:27 pm (UTC)(link)
Yay!
darael: Black lines on a white background. A circle, with twenty-one straight lines connecting seven equally spaced points. (Default)

[personal profile] darael 2014-04-21 03:44 pm (UTC)(link)
In point of fact is it viable to require OAuth for YAPI authentication, or is there a compelling reason to support other authentication mechanisms? If the latter, what else needs to be supported?

This is an open question; it is not directed specifically at [staff profile] denise.

Oh, and it would take a lot of persuasion to get me to spec support for plaintext username-and-password. Especially if it was going to be supported over plain HTTP (no TLS). But that should be obvious.
fu: Close-up of Fu, bringing a scoop of water to her mouth (Default)

[personal profile] fu 2014-04-22 07:35 am (UTC)(link)
Let's go with OAuth only -- it *may* be possible that we decide we want to support something else in the future, but plenty of APIs support purely OAuth with no problems.

I'd be happy to be able to move away from plaintext username and password!

[personal profile] schilling_klaus 2014-08-08 06:19 am (UTC)(link)
Will this Oauth thing be mandatory for clients afte rthe API change? I only see it used in proprietary services such as Twitter and Facebook. Is there any Free Software oauth tool for the GNU/Linux command line that can be invoked from a bash script or within the GNU Emacs editor in order to upload the content of a buffer to dreamwidth after the API changes?
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2014-08-08 07:02 am (UTC)(link)
OAuth isn't a proprietary service, it's an open standard. There are dozens of implementations.
Edited (i can type) 2014-08-08 07:02 (UTC)
Flat | Top-Level Comments Only