Yahoo! Application Platform

Back to YAP Forum

Need working ajax example signed!

Hi,

I need an AJAX working example on full view that signs the request.

Thank you

Kramaley G
Feb 6, 2009

17 Replies

- sh1mmer
- Feb 6, 2009
Hi,

Can you explain what you mean by signs the request?

Thanks,

Tom
Yahoo! Developer Network

Report Abuse

0
- Kramaley G
- Feb 6, 2009
Hi,

I mean when I send the request the parameters from yahoo are sent with I can get yahoo user session and get their GUID.

Thanks,

QUOTE (sh1mmer @ Feb 6 2009, 09:59 AM) <{POST_SNAPBACK}>
Hi,

Can you explain what you mean by signs the request?

Thanks,

Tom
Yahoo! Developer Network

Report Abuse

0
- sh1mmer
- Feb 6, 2009
I think Jon is investigating your previous comments on the other thread about making a gadget.io SIGNED request. You could consider instead of using a SIGNED just passing the GUID and other parameters you want as &guid=&foo=val on your URL, or use a POST request to send them instead.

Report Abuse

0
- Jonathan LeBlanc
- Feb 6, 2009
Until we have some definite answers for you, there is a method I had used to accomplish what I think it is that you're trying to accomplish, making an AJAX request to another script, instantiating a Yahoo session, and doing something with that session.

In my case, I used makeRequest to call a helper file which in turn reset the small view of the application. You can pass the guid as a query param on the url or you can throw it into the POST vars, then on the helper file you can instantiate a new Yahoo session (in my case 2-legged) then use the guid to set the small view. If you instantiate a 3-legged OAuth session, you will not need to pass the guid.

Now, if you're having troubles instantiating a 3-legged OAuth session from the helper file being called in the AJAX request, that may produce some tricky results. I was working on a solution to that when I found that the 2-legged worked better and didn't give me any strife. What I was doing was serializing the POST vars (including the session info) in the request. If this is along the lines of what you're trying to do I can revisit the code base and see if I can get something working.

Let me know.

Jonathan LeBlanc
Senior Software Engineer
Yahoo! Developer Network

QUOTE (Kramaley G @ Feb 6 2009, 10:29 AM) <{POST_SNAPBACK}>
Hi,

I mean when I send the request the parameters from yahoo are sent with I can get yahoo user session and get their GUID.

Thanks,

Report Abuse

0
- Kramaley G
- Feb 6, 2009
Hi Jon,

What you mentioned is what I am trying to do, I just need a way to ensure the user is who he says he is.

Thanks,

QUOTE (Jon @ Feb 6 2009, 11:15 AM) <{POST_SNAPBACK}>
Until we have some definite answers for you, there is a method I had used to accomplish what I think it is that you're trying to accomplish, making an AJAX request to another script, instantiating a Yahoo session, and doing something with that session.

In my case, I used makeRequest to call a helper file which in turn reset the small view of the application. You can pass the guid as a query param on the url or you can throw it into the POST vars, then on the helper file you can instantiate a new Yahoo session (in my case 2-legged) then use the guid to set the small view. If you instantiate a 3-legged OAuth session, you will not need to pass the guid.

Now, if you're having troubles instantiating a 3-legged OAuth session from the helper file being called in the AJAX request, that may produce some tricky results. I was working on a solution to that when I found that the 2-legged worked better and didn't give me any strife. What I was doing was serializing the POST vars (including the session info) in the request. If this is along the lines of what you're trying to do I can revisit the code base and see if I can get something working.

Let me know.

Jonathan LeBlanc
Senior Software Engineer
Yahoo! Developer Network

Report Abuse

0
- Jonathan LeBlanc
- Feb 6, 2009
One last question...we have a few ways that you can implement this. The event that initiates the ajax request, can it be user initiated (with a click or something) or does it have to be automatic?

- Jon

QUOTE (Kramaley G @ Feb 6 2009, 11:43 AM) <{POST_SNAPBACK}>
Hi Jon,

What you mentioned is what I am trying to do, I just need a way to ensure the user is who he says he is.

Thanks,

Report Abuse

0
- Jonathan LeBlanc
- Feb 6, 2009
Just to follow up with some samples...I have something here which will run a user initiated AJAX request that's split up into two files. The files are exactly the same as far as the Yahoo session initialization is concerned...what I normally do is just create a class with all of the initialization and then just instantiate a new version of the class. In any event here are the files to do a very simple validation using a yml:a tag:

First we have training_sdk.php. This will create a yahoo session, capture the current user, and use that output to build out a yml:a tag which passes the guid through the query params. The yml:a tag will run an AJAX request to training_sdk2.php . The yml:a tag also has an insert which specifies the id of the DOM element (in this case the div above it) where the output will be dumped to:
CODE
<?php require_once('Yahoo.inc'); //define constants to store your API Key (Consumer Key) and Shared Secret (Consumer Secret) define(CONSUMER_KEY,"KEY HERE"); define(CONSUMER_SECRET,"KEY HERE"); //initializes session and redirects user to Yahoo! to sign in and then authorize app $yahoo_session = YahooSession::requireSession(CONSUMER_KEY, CONSUMER_SECRET); //get currently logged in user $yahoo_user = $yahoo_session->getSessionedUser(); ?> <div id="requestBack"></div> <yml:a params="training_sdk2.php?guid=<?= $yahoo_user->guid ?>" insert="requestBack">RUN REQUEST</yml:a>

In training_sdk2.php the Yahoo session is initialized again, the guid for the current user is captured and then compared against the guid passed through the AJAX request.
CODE
<?php require_once('Yahoo.inc'); //define constants to store your API Key (Consumer Key) and Shared Secret (Consumer Secret) define(CONSUMER_KEY,"YOUR KEY HERE"); define(CONSUMER_SECRET,"YOUR KEY HERE"); //initializes session and redirects user to Yahoo! to sign in and then authorize app $yahoo_session = YahooSession::requireSession(CONSUMER_KEY, CONSUMER_SECRET); //get currently logged in user $yahoo_user = $yahoo_session->getSessionedUser(); if ($yahoo_user->guid == $_REQUEST['guid']){ echo "USER MATCHED"; } else { echo "USER NOT MATCHED"; } ?>

That should allow you to validate that the guid passed in is the guid of the person that sent the request.

Jonathan LeBlanc
Senior Software Engineer
Yahoo! Developer Network
Report Abuse

0
- sh1mmer
- Feb 6, 2009
I'd also talked to Jon about the idea of using a "crumb" your requests within your app. Essentially this would just be setting a cookie or a parameter in the request which you sign on your server this can be session based.

For example you could do guid=123456789&crumb=foo;

In this case foo would be the guid + your secret hashed together.

Then you would know that any request with a crumb which was valid came from your full view. General people also include a timestamp in a crumb to make it more unique to a session rather than just a user.

In the full view code:

CODE
<?php require_once('Yahoo.inc'); //define constants to store your API Key (Consumer Key) and Shared Secret (Consumer Secret) define(CONSUMER_KEY,"KEY HERE"); define(CONSUMER_SECRET,"KEY HERE"); define(CRUMB_SECRET, "supersecretpassword") //this should be a random string not a user password //initializes session and redirects user to Yahoo! to sign in and then authorize app $yahoo_session = YahooSession::requireSession(CONSUMER_KEY, CONSUMER_SECRET); //get currently logged in user $yahoo_user = $yahoo_session->getSessionedUser(); $time = time(); $crumb = sha1(CRUMB_SECRET . $time . $yahoo_user->guid); ?> <div id="requestBack"></div> <yml:a params="training_sdk2.php?guid=<?= $yahoo_user->guid ?>&crumb=<?= $crumb ?>&time=<?= $time ?>" insert="requestBack">RUN REQUEST</yml:a>

Then in the AJAX handler:

[code]
<?php

define(CRUMB_SECRET, "supersecretpassword") //this should be a random string not a user password

$guid = $_REQUEST['guid'];
$crumb = $_REQUEST['crumb'];
$time = $_REQUEST['time'];

$checkSum = sha1(CRUMB_SECRET . $time . $guid);
if ($checkSum == $crumb) {
//do stuff
} else {
//throw an error because the sigs don't match
}

Let me know if that helps. It's a great general technique for validating actions that users do on your sites/apps.
Report Abuse

0
- Jonathan LeBlanc
- Feb 7, 2009
Regarding my code sample above...I was thinking and there really would be no reason to validate the guid by passing it in the AJAX request. Just instantiate a new 3-legged OAuth session, get the guid and voila, you now have the correct guid of the current user, no checking required.

- Jon

Report Abuse

0
- Kramaley G
- Feb 9, 2009
Jon,

That is what I am trying to do all along with no success. I either get an error or nothing at all.

QUOTE (Jon @ Feb 7 2009, 09:23 PM) <{POST_SNAPBACK}>
Regarding my code sample above...I was thinking and there really would be no reason to validate the guid by passing it in the AJAX request. Just instantiate a new 3-legged OAuth session, get the guid and voila, you now have the correct guid of the current user, no checking required.

- Jon

Report Abuse

0
- sh1mmer
- Feb 9, 2009
Could you post the code you are using? It's hard to work out exactly what's going wrong without seeing exactly what you are doing.

Thanks,

Tom
Yahoo! Developer Network

Report Abuse

0
- Jonathan LeBlanc
- Feb 9, 2009
In addition to Tom's post, are you working off of the ip address that you had mentioned in an earlier post? When I pinged that ip the requests timed out, so that may be an issue you are running into. Are you running against a hosted site and seeing these issues? I ask because the code samples provided work well on a number of hosted solutions.

- Jon

QUOTE (Kramaley G @ Feb 9 2009, 02:02 AM) <{POST_SNAPBACK}>
Jon,

That is what I am trying to do all along with no success. I either get an error or nothing at all.

Report Abuse

0
- Kramaley G
- Feb 9, 2009
Hi,

Here's my code:

function makeRequest(url, postdata) {
var params = {};
postdata = gadgets.io.encodeValues(postdata);
// params[gadgets.io.RequestParameters.CONTENT_TYPE] = gadgets.io.ContentType.TEXT;
params[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.OAUTH;
params[gadgets.io.RequestParameters.METHOD] = gadgets.io.MethodType.POST;
params[gadgets.io.RequestParameters.POST_DATA]= postdata;
gadgets.io.makeRequest(url, response, params);
}

function response(obj) {
document.getElementById('interact').setInnerHTML('Populated!');
document.getElementById('population').setInnerHTML(obj.text);
}

function giveYoung(id){

document.getElementById('interact').setInnerHTML('Populating...');

var data = {
action : \"giveYoung\",
id : id
};

makeRequest(\"http://www.playmetropolis.com/~metroyah/ajax.php\", data);

}

I use a domain now, if I do not use a yahoo session it works but with the yahoo session it does nothing. And if I visit the page directly from the browser I get

401 Forbidden

* Custom port is not allowed or the host is not registered with this consumer key.

.
Thanks.

QUOTE (Jon @ Feb 9 2009, 09:04 AM) <{POST_SNAPBACK}>
In addition to Tom's post, are you working off of the ip address that you had mentioned in an earlier post? When I pinged that ip the requests timed out, so that may be an issue you are running into. Are you running against a hosted site and seeing these issues? I ask because the code samples provided work well on a number of hosted solutions.

- Jon

Report Abuse

0
- Jonathan LeBlanc
- Feb 9, 2009
Ok I was running your sample and there are a few things. First, when you were escaping some of your strings (like in your data obj), that was producing a "Malformed identifier" error. In the sample those escaped quotes are not needed. I'm seeing that the AJAX request is failing but without seeing the content of ajax.php I don't know why. Can you provide the code in that file please? As mentioned in post #5, if you are instantiating a 3-legged OAuth session with an automatic makeRequest javascript call, you will run into issues. If you switch to 2-legged that will not cause you a problem.

Thanks,
Jon

QUOTE (Kramaley G @ Feb 9 2009, 09:43 AM) <{POST_SNAPBACK}>
Hi,

Here's my code:

function makeRequest(url, postdata) {
var params = {};
postdata = gadgets.io.encodeValues(postdata);
// params[gadgets.io.RequestParameters.CONTENT_TYPE] = gadgets.io.ContentType.TEXT;
params[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.OAUTH;
params[gadgets.io.RequestParameters.METHOD] = gadgets.io.MethodType.POST;
params[gadgets.io.RequestParameters.POST_DATA]= postdata;
gadgets.io.makeRequest(url, response, params);
}

function response(obj) {
document.getElementById('interact').setInnerHTML('Populated!');
document.getElementById('population').setInnerHTML(obj.text);
}

function giveYoung(id){

document.getElementById('interact').setInnerHTML('Populating...');

var data = {
action : \"giveYoung\",
id : id
};

makeRequest(\"http://www.playmetropolis.com/~metroyah/ajax.php\", data);

}

I use a domain now, if I do not use a yahoo session it works but with the yahoo session it does nothing. And if I visit the page directly from the browser I get

401 Forbidden

* Custom port is not allowed or the host is not registered with this consumer key.

.
Thanks.

Report Abuse

0
- Kramaley G
- Feb 9, 2009
Hi,

The escape quotes are because they are printed from php so it is not causing any trouble after it has been parsed.
Basically is the following code that I use for testing at the moment as to avoid unnecessary complexity.

<?php

// Include the PHP SDK to access library
require_once("yosdk/lib/Yahoo.inc");

// Define constants to store your API Key (Consumer Key) and Shared Secret (Consumer Secret)
define("API_KEY","API KEY");
define("SHARED_SECRET","SECRET");

// Initializes session and redirects user to Yahoo! to sign in and then authorize app
$yahoo_session = YahooSession::requireSession(API_KEY, SHARED_SECRET);

YahooLogger::setDebug(false);

// The YahooSession object $yahoo_session uses the method getSessionedUser to get a YahooUser object $yahoo_user
$yahoo_user = $yahoo_session->getSessionedUser();

// With the YahooUser object, the user profile is obtained with the method loadProfile.
$user_profile = $yahoo_user->loadProfile();

$nickname = $user_profile->nickname;
$user = $user_profile->guid;

echo $user;

?>

Thanks,

QUOTE (Jon @ Feb 9 2009, 10:34 AM) <{POST_SNAPBACK}>
Ok I was running your sample and there are a few things. First, when you were escaping some of your strings (like in your data obj), that was producing a "Malformed identifier" error. In the sample those escaped quotes are not needed. I'm seeing that the AJAX request is failing but without seeing the content of ajax.php I don't know why. Can you provide the code in that file please? As mentioned in post #5, if you are instantiating a 3-legged OAuth session with an automatic makeRequest javascript call, you will run into issues. If you switch to 2-legged that will not cause you a problem.

Thanks,
Jon

Report Abuse

0
- Jonathan LeBlanc
- Feb 9, 2009
Yeah, this is the issue that I was talking about. It looks like you're instantiating a 3-legged OAuth session through an automatic makeRequest, and that's what's causing you the problem. If you are just planning on setting the small view in ajax.php then all you'll need to do is use the crumb example that Tom (shimmer) suggested to verify the guid, set up a 2-legged OAuth session ($yahoo_session = new YahooApplication(KEY, SECRET);)- Jon

Report Abuse

0
- Kramaley G
- Feb 10, 2009
Hi Jon,

I am trying to do that on the Full view, I do not want to use the yml:a tag as it does not allow for other JS code to be executed that will inform the user of what is going on. Please let me know as soon as you've got something working with the 3-legged auth.

Thank you :)- Jon
Report Abuse

0

Ask a Question

Yahoo! Application Platform

Need working ajax example signed!

Recent Posts