2010-07-25

00:01 <@joelgibby> @donpdonp if you happen to have an .apk built for Ice Condor and Geoloqi I'd love to get a peek!
10:10 LoqiLog joined #geoloqi
10:11 <aaronpk> hey jtbandes did you see the wireframes caseorganic posted?
10:11 <jtbandes> yep, might actually work on it a bit today
10:11 <aaronpk> sweet
10:11 <Loqi> [[Mobile App Guidelines]] http://geoloqi.org/index.php?diff=241&oldid=238&rcid=243 * Aaronpk * (+179)
10:12 <jtbandes> So is the signup/login only via twitter/facebook, or what?
10:12 <aaronpk> or with a username and password
10:12 <aaronpk> and we can leave off the twitter/facebook bit at first
10:13 <jtbandes> except I'm registered via twitter :P
10:13 <aaronpk> yea don't worry about that lol
10:14 <aaronpk> I also added an outline of the API methods needed to do this whole flow: http://geoloqi.org/API
10:17 <aaronpk> would appreciate any feedback on naming or if you see anything missing
10:19 <jtbandes> hmm
10:19 <jtbandes> I think the last location should be an explicit location/something instead of just /location
10:19 <aaronpk> hm yea it's the only one like that
10:20 <aaronpk> location/last?
10:20 <aaronpk> I don't want to say "current" beacuse it may not always be up to date
10:24 <jtbandes> actually, there's no reason to have that
10:24 <jtbandes> Just have a parameter to location/history for how many you want
10:25 <aaronpk> i was thinking that, but location/history will always return an array, and sometimes you might just want the last point so I thought it'd be convenient to be able to return the last point by itself
10:26 <jtbandes> I suppose for convenience, but it's kind of redundant that way, and unbundling an array isn't particularly hard ;)
10:27 <jtbandes> plus you have to maintain 2 APIs
10:31 <aaronpk> ok we'll see
10:33 <jtbandes> so for OAuth... haven't used it before... do I just take the returned tokens from login and pass them with every request?
10:43 <aaronpk> yea pretty much
10:44 <aaronpk> this is a good explanation of the idea behind it http://hueniverse.com/2010/05/introducing-oauth-2-0/
10:47 <jtbandes> ooh, hadn't heard of OAuth2 before, nifty
10:47 <jtbandes> Twitter doesn't use oauth2, does it?
10:48 <aaronpk> i think they're working on it
10:55 <jtbandes> does channel == layer?
11:06 <aaronpk> yea
11:07 <aaronpk> not convinced on the naming yet
11:07 <aaronpk> I thought "layer" might be bad because of Layar
11:08 <aaronpk> but it's going to look very much like a layer
11:21 caseorganic joined #geoloqi
11:25 <jtbandes> layer makes sense, it's the same as layers in Google Earth / Maps on Android
11:31 <aaronpk> hm, true
13:17 <aaronpk> oh right... I didn't want to use OAuth 2 for themobile clients because of the overhead of the SSL handshake
13:40 caseorganic joined #geoloqi
14:14 tyler_ joined #geoloqi
14:25 <@caseorganic> Working on @geoloqi with @aaronpk and @brennannovak at Fresh Pot on Hawthorne. http://loqi.me/1LM
14:45 <tyler_> oauth2 ftw
14:45 <tyler_> facebook uses it
14:46 <tyler_> caseorganic, wanna try again to install geoloqi this week since im not so busy?
14:48 <aaronpk> tyler_: have you implemented anything with oauth2 yet?
14:48 <tyler_> aaronpk, i did some testing stuff using oauth2 as client, not as server
14:50 <caseorganic> yes
14:50 <caseorganic> that would be good
14:50 <caseorganic> how about tuesday night?
14:50 <caseorganic> 6:30pm?
14:51 <tyler_> sounds good
14:52 <tyler_> where you wanna meet?
14:52 <caseorganic> i DM'd you the address.
14:52 <tyler_> ok cool
14:52 <tyler_> caseorganic, ok cool i'll be there.
14:53 <aaronpk> so the thing I'm struggling with re OAuth 2 is I don't want to be sending the location data up over SSL since that adds a lot of overhead. OAuth 2 replaces signatures with https, so unless there is a way to include a signature and not use https, I don't want to use OAuth 2
14:56 <tyler_> aaronpk, you could implement your own signature method
14:56 <tyler_> which could be simpler than oauth
14:56 <aaronpk> I think that might be frowned upon
14:57 <tyler_> personally, i like doing things just for that reason ;)
14:57 <aaronpk> haha
14:57 <Loqi> awesome
14:57 <aaronpk> I need to be convinced that there is no way to do it in OAuth2 first
14:58 <tyler_> i juse use the basic ssl rsa key/pubkey sign/verify methods for my own apps
15:07 <aaronpk> I wonder if that would work for this
15:08 <tyler_> how my own backend works (im adding additional services besides geoloqi api) is that it auto creates a key when you signup
15:08 <aaronpk> what are you building?
15:09 <tyler_> an app that uses geoloqi api plus added features. just a project to learn nodejs better
15:09 <aaronpk> interesting
15:09 <tyler_> by "use" i mean implements
15:09 <aaronpk> I'm working on the API now: http://geoloqi.org/API
15:09 <tyler_> yeah im looking at it right now
15:10 <aaronpk> right now nothing is specified in regards to authentication, still figuring that part out.
15:10 <tyler_> http://rital.in gives an example of how i generate keys
15:10 <tyler_> use any password to login
15:10 <aaronpk> ok so I get a certificate?
15:11 <tyler_> it also generates an rsa private key
15:11 <tyler_> that the server uses to sign messages
15:11 <tyler_> the certificate is what foreign host uses to verify signature
15:12 <aaronpk> do you know of anyone else doing it this way?
15:13 <tyler_> thats kinda what oauth does behind the scenes, except they make it more complicated
15:13 <tyler_> also its what salmon does
15:13 <tyler_> but salmon also makes things harder, imho
15:15 <tyler_> since my app is nodejs i send data via post with a JSON request, e.g. http://rital.in/incoming?body={ "name":"some_name","signature":"some_signature","message":"some_message","key_location":"url_to_key" }
15:15 <aaronpk> so the part about OAuth that I like is that every client has its own consumer key, and every user can approve clients individually.
15:16 <aaronpk> so you can give users a list of clients that have access to their account
15:17 <tyler_> yeah for that model, OAuth seems the best solution
15:18 <tyler_> oauth just seems overly complicated to me
15:22 <tyler_> i haven't made anything better yet
15:22 <tyler_> ;)
15:24 <aaronpk> OAuth2 is supposed to solve some of the complexities of OAuth 1
15:24 <aaronpk> but I can't find a whole lot of documentation on it
15:32 <aaronpk> I may have to read through that whole spec
15:33 <aaronpk> I was hoping for something more straighforward, but this whole thing is still so new there isn't much out there yet
15:33 <tyler_> yeah oauth2 is super new
15:33 <tyler_> how do you auth with mobile apps currently? user/pass?
15:34 <aaronpk> well right now it just uses a device key
15:34 <aaronpk> but I want to change that to OAuth
15:35 <tyler_> you could just to OAuth now
15:35 <tyler_> and add oauth2 later
15:35 <aaronpk> yea, that might make sense
15:36 <tyler_> while oauth2 might be "better", a ton more people use oauth1
15:36 <tyler_> plus theres no nodejs oauth2 lib yet ;)
15:37 <aaronpk> hehe
15:37 <aaronpk> you could write one ;)
15:38 <tyler_> if you're willing to support oauth2 i'll write a nodejs lib for it
15:38 <tyler_> not worth the trouble if its not supported though
15:38 <aaronpk> I think I'll start with OAuth1 and go from there, heh
15:39 <aaronpk> I need to get this up quickly so the iPhone guys can start using the new API
15:42 <tyler_> aaronpk, any actual wiki pages on what required api parameters or what response format is?
15:42 <tyler_> i see methods, but thats about all
15:42 <aaronpk> not yet, that will happen as I build each method ;)
15:42 <tyler_> oh its not even built yet. heh
15:42 <aaronpk> :)
15:42 <aaronpk> writing account/username right now
15:42 <tyler_> i usually build my api first, then have my app use the api internally
15:43 <aaronpk> yea that's essentially what i'm doing
15:43 <aaronpk> there's an API up right now but it's being replaced by this one
15:43 <tyler_> gotcha
15:44 <tyler_> imho, i think location/history and location/last i kinda redundant
15:44 <tyler_> s/i/is/
15:44 <aaronpk> heh, jtbandes said the same thing
15:45 <tyler_> you should be able to make it return one value based on param
15:45 <aaronpk> i wanted history to always return an array
15:45 <aaronpk> and then wanted a way to get a single point not in an array
15:46 <tyler_> why not just get last element of array?
15:46 <tyler_> foo = /location/history; print foo.last
15:47 <tyler_> on the developer side
15:47 <aaronpk> guess i was just thinking it doesn't hurt to have multiple ways of doing the same thing, the developer can choose which one they want to do
15:48 <tyler_> are you doing xml and json api?
15:48 <aaronpk> definitely JSON, probably will do XML too just cause
15:48 <tyler_> fwiw, i think implementing both is a waste since a lot of web service consumers are format agnostic
15:49 <aaronpk> i'm not a huge fan of xml
15:49 <tyler_> i like xml, but not for api data, because its never read by humans
15:51 <tyler_> aaronpk, are there any api methods that work now?
15:52 <aaronpk> if you want I can give you details on the old API (read/write access to location history)
15:53 <tyler_> aaronpk, sure, perferably stuff thats going to stay, so i can implement it without rewriting ;)
15:53 <aaronpk> well the URLs are going to change, but the data format will be the same
15:54 <tyler_> ok
15:54 <tyler_> i can change url's easy enough
15:54 <tyler_> i just do a regular expression match against request urk
15:54 <tyler_> url*
15:55 <aaronpk> also authorization will change
15:55 <aaronpk> PM'd your device key
15:55 <tyler_> cool thnx
15:57 <aaronpk> you can omit the "raw" chunk, or include your own values there
15:57 <tyler_> so you POST to send data, GET to receive on same url?
15:58 <aaronpk> yea
15:58 <tyler_> gotcha
15:59 <tyler_> heh it craps out if theres no location data ;)
15:59 <aaronpk> yea probably lol
16:00 <aaronpk> yea it won't do that on the new one i promise, lol
16:01 <tyler_> aaronpk, what rfc is your date format?
16:05 <aaronpk> iso8601
16:06 <tyler_> heh just found that at the same time you typed
16:06 <aaronpk> lol
16:07 <tyler_> rfc 3339
17:34 caseorganic joined #geoloqi
18:42 <aaronpk> ok, oauth2 isn't so bad
18:58 jtbandes joined #geoloqi
19:30 <Loqi> [[API]] http://geoloqi.org/index.php?diff=245&oldid=244&rcid=247 * Aaronpk * (+715) added outline of OAuth 2.0 methods
20:29 <tyler_> aaronpk, does that mean they're in?
20:30 <tjgillies> they're == oauth2
20:38 <tjgillies> aaronpk, on POST, for server response (api.geoloqi.com) im getting: http://gist.github.com/490155, but output for GET request doesn't change
22:21 <donpdonp> so happy that icecondor is fixed for froyo. my location is reliable again.
22:37 <tjgillies> yay!
22:38 <Loqi> Loqi does a happy dance!
22:44 <aaronpk> tjgillies: I think that error is beacuse you need to send the location as an array, but you probably sent a single point
22:44 <tjgillies> aaronpk, i copypasted the example
22:56 <aaronpk> aaronpk looks at the latest post
22:56 <aaronpk> yea it needs to be wrapped in an array []
23:02 <tjgillies> your server returns status 200 regardless of input heh
23:03 <aaronpk> :/
23:03 <aaronpk> this is why I am rewriting it, lol
23:04 <tjgillies> im implementing ability to add applications in my app right now
23:06 <aaronpk> cool
23:47 <tjgillies> aaronpk, so im assuming the client will have one consumer key
23:47 <tjgillies> mobile client
23:47 <aaronpk> right. in OAuth2 they're calling it a client ID and a client secret
23:49 <tjgillies> yeah i noticed that
23:51 <tjgillies> what algorithim are you using to generate id/secret? on my server im using the name of the app for client id and some random string for secret, i'll manually add whatever mobile client uses to the core
23:51 <tjgillies> question though, if mobile app sends client id/secret in request, won't every server know what the mobile id/secret is?
23:52 <aaronpk> yea that's why OAuth2 says everything has to go over ssl
23:53 <tjgillies> but the server will know what it is, because its reading the value post ssl?
23:53 <aaronpk> yea
23:54 <aaronpk> However, when it is necessary to transmit access tokens in the clear without a secure channel, authorization servers SHOULD issue access tokens with limited scope and lifetime to reduce the potential risk from a compromised access token.
23:55 <tjgillies> right, thats for third party people
23:55 <tjgillies> im talking about the actual geoloqi server
23:55 <tjgillies> because its opensource
23:55 <aaronpk> oh, the client id and secret aren't going into the repository
23:56 <tjgillies> but they get sent to the server by the mobile app
23:56 <aaronpk> i.e. the build you'll download from the app store is going to be slightly different from the code on github, because the github code won't include the id/secret