2010-08-24

02:34 donpdonp joined #geoloqi
03:02 techwraith joined #geoloqi
08:16 <@yuetsu> .@aaronpk @caseorganic @donpdonp @loqisaur for some reason, @geoloqi on iPhone keeps thinking i'm at some point on s.e. 50th & powell...
08:17 <@yuetsu> .@aaronpk @caseorganic @donpdonp @loqisaur @geoloqi ... and another one on s.e. 42nd near powell. keeps drawing straight lines there.
08:56 caseorganic joined #geoloqi
08:56 caseorganic_ joined #geoloqi
10:01 <@echoechome> RT @caseorganic: ChatterCast local emergency alerter, built w/@geoloqi+@tropo... Won Seattle Open Gov Hackathon! http://loqi.me/1Tz #gov20
10:28 <donpdonp> is there a non-proxy url for geoloqi clients yet?
10:28 <donpdonp> jtbandes
10:28 <donpdonp> -24781
10:28 <donpdonp> i think he has the same timezone err that caseorganic had for a while in proxy.php
10:31 <aaronpk> ah yea probably
10:37 <donpdonp> the mapzen editor is fantstic. i wish it were html5 instead of flash.
10:38 <aaronpk> did you see this one? http://maps.cloudmade.com/editor/
10:38 <donpdonp> yeah thats cool too.
10:39 <donpdonp> some javascript that would let a user look at a map, and click-click-click-click define a polygon is how i imagine people would define a geofence
10:39 <donpdonp> ha. the willamette looks so matrix!
10:39 <aaronpk> like the way google maps does it?
10:39 <donpdonp> aaronpk: i dont know how google maps does it.
10:40 <donpdonp> aaronpk: is there an example url somewhere?
10:41 <aaronpk> there will be...
10:44 <donpdonp> awesome
10:44 <donpdonp> is that part of the gmaps api?
10:45 <aaronpk> it's part of Google Maps. Go to maps.google.com and click "My Maps" and when you're making a map, you get those little tools at the top
10:45 <aaronpk> I don't know if it's in the API
10:45 <donpdonp> i see.
11:01 <Loqi> 1 files modified in http://github.com/geoloqi/playground/commits/master by Don Park
11:48 <donpdonp> donpark.org/people has a 1px border around the gravatar on the map, and the (refreshing) message wont grow indefinitely on refresh failure
11:48 <donpdonp> woo. i have contributed to society this morning.
11:49 <aaronpk> cool! and the icecondor updates seem to be much faster now!
13:05 <@casebot> Amber Case was blogged about in: IDLEGLORY BLOG - Loqisaur Nomming on GPS Points: Geoloqi is a project developed b... http://bit.ly/dCv9N6
14:00 <@geoloqi> RT @chrismatthieu: I just published a new post on the @Tropo blog regarding my observations of @caseorganic & @aaronpk changing the world! http://bit.ly/dhUDGF
15:22 <@geoloqi> Thanks to @chrismatthieu for the @Tropo post about our work during the #tinkerstorm open gov hackathon! http://bit.ly/dhUDGF
16:43 jtbandes joined #geoloqi
16:45 <jtbandes> hola from Santa Cruz ish
17:11 <jtbandes> aaronpk: so what do I do with this client_id and client_secret
17:11 <jtbandes> ?
17:12 <aaronpk> you'll need that to create a new account
17:12 <aaronpk> from the phone
17:12 <jtbandes> a new one? but the client_id is jtbandes_iphone
17:12 <jtbandes> ohhhh, I get it
17:13 <jtbandes> It's like an API key thing
17:13 <aaronpk> yea
17:13 <jtbandes> do I need it to test the login functionality?
17:14 <aaronpk> yea, when you call oauth/token you'll need to pass those as basic HTTP auth
17:14 <jtbandes> why basic auth? is that a normal way to do it?
17:14 <aaronpk> yea, it should go over ssl eventually
17:14 <aaronpk> i don't have a certificate on it yet tho
17:15 <jtbandes> so oauth/token is POST with the body as JSON {"grant_type":..., ....}
17:15 <jtbandes> ?
17:16 <aaronpk> you can actually do regular http form post as the body
17:16 <jtbandes> oh
17:16 <aaronpk> or you can do json if you specity Content-Type: application/json in the http header
17:16 <jtbandes> oh, the format is just output
17:16 <jtbandes> interesting, is that supported manually server-side? or do you have some fancy thing translating it?
17:17 <aaronpk> I had to write the server-side thing to handle both and watch for the header
17:17 <jtbandes> what's grant_type "password" vs "refresh"?
17:18 <aaronpk> in both cases you are requesting an access token (which is equivalent to the current device key). grant_type=password is when you are sending the user's username and password, grant_type=refresh is when you are sending the refresh token that you stored earlier
17:18 <aaronpk> so the "log in" button does grant_type=password
17:18 <jtbandes> what's the point of a refresh token?
17:19 <aaronpk> the response you get will include an access token and refresh token. store the refresh token somewhere internally, and when the access token expires, you can use the refresh token to get a new access token
17:20 <jtbandes> then... what's the point of expiring access tokens?
17:21 <aaronpk> every OAuth2 method is supposed to go over SSL. however, it seems silly to use SSL for sending super frequent location updates from the mobile device since that's a lot of overhead.
17:21 <aaronpk> The OAuth spec says that if SSL is not desired, it's ok to use non-ssl with short-expiring access tokens
17:22 <jtbandes> ah
17:22 <aaronpk> the idea being that if the access token is compromised, it will expire quickly and limit the damage
17:33 <@loqisaur> *chomp*
18:05 tjgillies joined #geoloqi
18:20 <donpdonp> Ycombinator - http://www.whereoscope.com/ See where your kids are
18:38 caseorganic joined #geoloqi
18:39 caseorganic_ joined #geoloqi
18:55 <aaronpk> donpdonp: they also have this same product under a different name: http://www.bindtwo.com/
19:37 caseorganic joined #geoloqi
20:18 <donpdonp> aaronpk: interesting
20:22 jtbandes joined #geoloqi
20:44 <jtbandes> aaronpk: should I be using api-dev.geoloqi.com or what?
20:46 <aaronpk> yea, use api-dev for testing
20:46 <aaronpk> it is also more up to date than api.geoloqi.com right now
20:47 <jtbandes> ah
20:48 <jtbandes> so theoretically... http://cl.ly/321f94d1cd33cb5e4fd6 :)
20:48 <jtbandes> whee crash
20:48 <aaronpk> aw
20:49 <jtbandes> ah heh
20:49 <jtbandes> easy fix there
20:49 <jtbandes> aw, URL loading error
20:49 <jtbandes> does it not like that un:pass@host syntax?
20:49 <jtbandes> That's right isn't it?
20:49 <aaronpk> depends on the http lib you're using i think
20:49 <jtbandes> built-in
20:49 <jtbandes> should work
20:50 <aaronpk> ah, it should be a POST request
20:50 <aaronpk> looks like a GET on my end
20:50 <aaronpk> oha!
20:50 <aaronpk> oh*
20:50 <jtbandes> oh, would help if I set the method :P
20:50 <aaronpk> oh! also /1/ in the URL
20:51 <jtbandes> oooh
20:51 <aaronpk> /1/oauth/token.json
20:51 <jtbandes> {"error":"invalid_client_credentials"}
20:51 <jtbandes> :D
20:51 <aaronpk> ok that's better
20:51 <jtbandes> should I be hashing the password before sending?
20:51 <jtbandes> I feel like I should
20:51 <jtbandes> are they stored hashed in the db?
20:52 <aaronpk> well I don't actually see a username in the apache logs
20:52 <jtbandes> errr...
20:52 <aaronpk> try passing client_id and client_secret as post variables instead of basic auth
20:52 <jtbandes> sure about that?
20:52 <jtbandes> oh, different response
20:52 <jtbandes> {"error":"invalid_request","error_description":"Missing parameters. \"username\" and \"password\" required"}
20:53 <jtbandes> that's interesting.
20:53 <jtbandes> they're still being passed, for sure
20:53 <jtbandes> wait wtf
20:54 <jtbandes> ..........
20:54 <jtbandes> jtbandes facepalm
20:54 <jtbandes> nothing to see here folks, move along
20:54 <aaronpk> :)
20:54 <jtbandes> tada!
20:55 <aaronpk> although I should probably add some debugging output so I can see exact post requests and responses
20:56 <aaronpk> wait a sec...what user/pass are you sending?
20:56 <jtbandes> foo/bar
20:56 <jtbandes> it's not supposed to work
20:56 <jtbandes> :P
20:56 <aaronpk> aha! I just realized I hadn't given you one yet
20:56 <jtbandes> again, shouldn't we be hashing these passwords first? like MD5 or something?
20:57 <jtbandes> plaintext = fail
20:57 <aaronpk> hmm...that would technicaly break the spec
20:57 <jtbandes> the spec provides for un/pass at all? let alone in plaintext?
20:57 <jtbandes> interesting
20:57 <aaronpk> it's not the "recommended" flow for OAuth 2
20:57 <aaronpk> let me check the spec again
20:57 <jtbandes> well you did say SSL was recommended
20:58 <jtbandes> but does the non-ssl recommendation path have any info about this?
20:59 <aaronpk> "Resource Owner Password Credentials
20:59 <aaronpk> For example, the client makes the following HTTP request by including its client credentials via the "client_secret" parameter described in Section 2 and using transport-layer security
20:59 <aaronpk> not using SSL for the oauth token part is definitely not in line with the spec
20:59 <jtbandes> where's the part you said had an alternative to ssl/
21:00 <jtbandes> ?
21:00 <aaronpk> checking
21:01 <aaronpk> Access tokens SHOULD NOT be sent in the clear over an insecure channel.
21:01 <aaronpk> However, when it is necessary to transmit access tokens in the clear without a secure channel, authorization servers SHOULD issue access tokens with limited scope and lifetime to reduce the potential risk from a compromised access token.
21:03 <jtbandes> that doesn't mention the un/pass
21:04 <aaronpk> oh yea, that's just the section on using the access token
21:05 <aaronpk> they don't say MUST or SHOULD on the section about sending the user/pass
21:05 <aaronpk> but they do say "and using transport-layer security"
21:05 <jtbandes> heh
21:05 <jtbandes> time to do SSL :)
21:05 <jtbandes> Doesn't take anything on my end, right? I think I can just make it https://
21:06 <aaronpk> yea, for everything except location/update it should use ssl
21:06 <aaronpk> let me double check mine is set up to handle that :)
21:07 <aaronpk> it's not :) one sec.
21:07 <jtbandes> also, just a sanity check: I'm creating the POST vars by taking (key with url chars and "&"/"=" escaped)=(val with url chars and "&" escaped) joined by "&"
21:08 <aaronpk> you mean you wrote the postRequestToURL method?
21:08 <jtbandes> yeah
21:08 <aaronpk> technically all the values should be URL encoded, that will only matter if someone uses a non-url-safe character in their password
21:08 <jtbandes> which does matter!
21:09 <jtbandes> fun fact: I can't use ' in passwords for various college things, because their system sucks
21:09 <aaronpk> haha
21:09 <jtbandes> if I use \' it sometimes works
21:09 <Loqi> rofl
21:09 <jtbandes> the values should be URL encoded, but & also
21:09 <jtbandes> or is & encoded anyway?
21:09 <aaronpk> & between parameters is not encoded
21:10 <jtbandes> not between
21:10 <jtbandes> but in
21:10 <jtbandes> & in values
21:10 <aaronpk> in a value, yes
21:10 <jtbandes> I'm just wondering what the default URL-encoding method would do, whether I need to specify &/= to be encoded
21:11 <aaronpk> the default URL encoe method should be fine
21:13 <jtbandes> mm, looks like the default method isn't doing =&
21:13 <jtbandes> so I'll just tell it to
21:13 <aaronpk> ah weird
21:14 <jtbandes> alright, so
21:14 <jtbandes> SSL?
21:14 <aaronpk> I'm making a self-signed SSL cert
21:14 <jtbandes> k
21:21 <jtbandes> NSURL is lame
21:21 <jtbandes> you can get the password component, but you can't set it
21:26 <aaronpk> ok! you should be able to hit https://api-dev.geoloqi.com now!
21:27 <aaronpk> you'll most certainly get a cert error for two reasons, one of which can be fixed
21:27 <aaronpk> the cert is for api.geoloqi.com and is signed by my own root authority, which you can download the cert for if you want, but it's probably not worth it
21:28 <jtbandes> yep
21:28 <jtbandes> Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be �api-dev.geoloqi.com� which could put your confidential information at risk." UserInfo=0x8054b60 {NSErrorFailingURLStringKey=https://jtbandes_iphone:bdbe49daf6784457938671116426124R@api-dev.geoloqi.com/1/oauth/token.json, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyw
21:28 <jtbandes> ay?, NSErrorFailingURLKey=https://jtbandes_iphone:bdbe49daf6784457938671116426124R@api-dev.geoloqi.com/1/oauth/token.json, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be �api-dev.geoloqi.com� which could put your confidential information at risk., NSUnderlyingError=0x8054b90 "The certificate for this server is invalid. You might be connecting to a server that
21:28 <jtbandes> is pretending to be �api-dev.geoloqi.com� which could put your confidential information at risk.", NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x804ccb0>}
21:29 <aaronpk> yea, that! haha
21:29 <jtbandes> what's the second reason?
21:29 <aaronpk> cert is for a different domain (api.geoloqi.com), and the cert is not from a recognized authority
21:29 <jtbandes> oh
21:31 <jtbandes> so what if I use api.geoloqi.com, is that too old a version of the server-side code?
21:31 <aaronpk> it should be fine, there are no geonotes there yet but I think that's all
21:32 <jtbandes> err, why am I getting the same error
21:32 <jtbandes> I wonder if "invalid" means untrusted
21:32 <aaronpk> hm, probably
21:33 <jtbandes> lame
21:33 <aaronpk> can you ignore errors for now?
21:33 <aaronpk> or do you have a way to add a trusted authority?
21:33 <jtbandes> huh, looks like ASIHTTPRequest does something there http://allseeing-i.com/ASIHTTPRequest/How-to-use#disabling_secure_certificate_validation
21:34 <jtbandes> though I think I can ignore it
21:35 <aaronpk> oh hey I have an SSL credit in Godaddy for some reason
21:35 <aaronpk> hold on, I'll get a real certt
21:38 <jtbandes> hm, I'm not sure how to tell if the error is coming from self-signedness, though I'm almost certain it is
21:38 <aaronpk> that's the only thing wrong at this point
21:39 <jtbandes> someone says this will fix it:
21:39 <jtbandes> - (BOOL)connection: ( NSURLConnection * )connection canAuthenticateAgainstProtectionSpace: ( NSURLProtectionSpace * ) protectionSpace {
21:39 <jtbandes> return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
21:39 <jtbandes> }
21:39 <jtbandes> I'm just not entirely sure what that all means :P
21:41 <jtbandes> is ServerTrust just fancy language for SSL or something?
21:43 <aaronpk> hang on i've almost got a real cert
21:44 <aaronpk> tada!
21:44 <jtbandes> woot
21:44 <Loqi> :D
21:44 <jtbandes> works
21:47 <aaronpk> woo!
21:49 <jtbandes> now what? :P
21:49 <jtbandes> now wait
21:49 <jtbandes> does the spec say it has to be a password? can we hash it anyway?
21:50 <jtbandes> also, can I have a real un/pass to test with? :)
21:50 <aaronpk> yes! one sec
21:53 <aaronpk> that's a good point, I think I might ask on the mailing list about the hashed password
21:54 <aaronpk> oh, but
21:55 <aaronpk> ok use jtbandes/1234 for now
21:55 <aaronpk> would the hashed password use no salt?
21:55 <jtbandes> {"error":"invalid_client_credentials"} :(
21:55 <Loqi> go cut yourself
21:55 <jtbandes> salt is probably not a bad idea, but not sure what to use
21:56 <aaronpk> maybe we could use the client secret as the salt...
21:56 <aaronpk> i'm a little worried we're making all this stuff up, lol
21:56 <jtbandes> yeah
21:56 <jtbandes> :P
21:57 <aaronpk> i'll ask on the OAuth list to see what people think. I'm guessing not many people are using the password method right now
21:59 <jtbandes> so why am I getting {"error":"invalid_client_credentials"} ?
21:59 <aaronpk> checking
22:01 <aaronpk> looks like client_id and client_secret aren't working right
22:01 <aaronpk> you're passing those in the post body now?
22:01 <jtbandes> I'm sending them in the URL, which is equivalent to basic auth, no?
22:02 <jtbandes> pretty sure
22:02 <aaronpk> no, they need to be in the post body
22:03 <jtbandes> oh really?
22:03 <jtbandes> why's that?
22:03 <jtbandes> does HTTPS not do basic auth?
22:03 <aaronpk> oh, yea if your http lib can handle that syntax it should do basic auth that way
22:03 <aaronpk> but that's just a special syntax which makes the browser or http lib send the proper auth headers
22:03 <jtbandes> which it's not doing? interesting
22:03 <jtbandes> I'd think it would definitely work, it's the system lib
22:04 <jtbandes> well, seems to work in the post body
22:06 <aaronpk> cool
22:06 <aaronpk> what http lib are you using?
22:06 <jtbandes> NSURL/NSURLRequest/NSURLConnection
22:06 <jtbandes> standard system stuff
22:08 <jtbandes> which I would trust to be more complete than any other http lib out there :)
22:12 <aaronpk> well at least it's working in the post body now
22:12 <aaronpk> so you've got the "sign in" button doing the post and getting the two tokens back?
22:13 <jtbandes> yep, now I just need to store them and get the refresh stuff working
22:13 <jtbandes> "just"
22:13 <jtbandes> and then "just" use them for the API calls
22:13 <aaronpk> cool
22:13 <aaronpk> well using them for the api calls should be almost done, just replace "device key" with "access token"
22:14 <jtbandes> ah
22:14 <aaronpk> is it easy to set an HTTP header?
22:14 <jtbandes> sure
22:15 <aaronpk> in that case, set a header like "Authorization: OAuth 1234567890"
22:15 <aaronpk> instead of passing the access token in the URL
22:15 <jtbandes> i.e. "OAuth eUqELStyqmxYwNwWVKjYYUgCctF4HRVS" ?
22:16 <aaronpk> yea
22:16 <jtbandes> what's the "scope" being returned?
22:16 <jtbandes> it's null
22:16 <aaronpk> that isn't implemented yet, so you can ignore it for now
22:16 <jtbandes> and is the expires_in seconds?
22:17 <aaronpk> yea
22:17 <jtbandes> k cool
22:17 <jtbandes> the hard part of this is application design, not the actual http requests :P
22:17 <aaronpk> heh, yea
22:32 <jtbandes> 2010-08-24 22:32:39.209 Geoloqi[70095:207] Got callback with error (null), response body {"access_token":"dPCq9jsi16QtYNYpb7YymUgB1lthT8f5","expires_in":3600,"scope":null,"refresh_token":"FZc0DTO7Y+shyJgbaNeO1QKdUM4o5c2K"}
22:32 <jtbandes> 2010-08-24 22:32:39.220 Geoloqi[70095:207] Got access token dPCq9jsi16QtYNYpb7YymUgB1lthT8f5, expires 2010-08-24 23:32:39 -0700, refresh FZc0DTO7Y+shyJgbaNeO1QKdUM4o5c2K
22:32 <jtbandes> parsing stuff correctly :)
22:35 <aaronpk> cool!
22:38 <jtbandes> how do I use the refresh token again/
22:39 <aaronpk> send a request just like you're sending the username and password, but your post parameters will be grant_type=refresh&refresh_token=xxxxxx
22:45 <jtbandes> are all these POST, or some GET?
22:45 <aaronpk> most are POST
22:45 <aaronpk> oauth/token is POST
22:45 <aaronpk> location/update is POST
22:46 <jtbandes> ah
23:01 <tjgillies> kinda reminds me of amber and aaron: http://s9.quickupload.net/i/00082/ckja2h0xtkwu.jpg
23:12 <aaronpk> jtbandes: It's getting late for old aaron. I have to get to bed. Do you have enough to go off of for a while at this point?
23:12 <jtbandes> yeah, I'm off to bed too
23:12 <aaronpk> great
23:12 <aaronpk> thanks a bunch
23:12 <jtbandes> but yeah, I think I do
23:13 <aaronpk> night then!
23:13 <jtbandes> 'night