The proposed token authentication sounds like it would also be useful in allowing non-public feeds to be pulled from Drupal sites in order for them to be aggregated.<br><br><br>Dan<br><br><div><span class="gmail_quote">On 24/01/06,
<b class="gmail_sendername">Boris Mann</b> <<a href="mailto:boris@bryght.com">boris@bryght.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
All:<br><br>See <a href="http://drupal.org/node/46145">http://drupal.org/node/46145</a><br><br>I'm going to make sure that Ben is signed up to the dev list. He's on<br>the board of the PHP User's Group here in Vancouver and is a pretty
<br>kick ass programmer. For now, making sure this gets the views it<br>deserves.<br><br>This opens the door to the type of interactions that, e.g. Flickr,<br>does remotely, and lots of rich inter-site functionality.<br><br>
> I'm building a new website in Drupal and there are some<br>> administrative web services that I would like to make available to<br>> middleware together a legacy system. I did some research into<br>> Drupal's XMLRPC system and figured that token based authentication
<br>> in the core would be useful.<br>><br>> This is what I have sketched out on a napkin:<br>><br>> Scenario:<br>> Client wants to create some new data in the system. This is the<br>> process:<br>>
<br>> 1. Client requests a service token, sends username/password of a<br>> Drupal user<br>> 2. Drupal loads the $user matching the crudentials<br>> - creates a random alphanumeric token to send back to the user
<br>> - serializes, and caches the $user object, key = md5(token + ip<br>> address of client)<br>> - sends the token back to the client<br>> 3. Client makes an RPC call to say: module.createListing($token,<br>
> $arg1,$arg2,...)<br>> 4. In createListing(...)<br>> -- Checks the token, if valid does it's thing, otherwise, returns<br>> an error message.<br>><br>> I think it would take a fairly small amount of code to accomplish
<br>> the above. I haven't given a lot of thought about Drupal's external<br>> authentication system though. I'm not too familiar with it, but<br>> maybe somebody can fill me it. For this system I may write my own
<br>> version of user_authenticate() without the variable_get<br>> ('user_register',1) in it so some malicous person doesn't create an<br>> unlimited number of random users in the system.<br>><br>> Any thoughts or previous work on this?
<br>> I would like it to be implemented in core, but it would probably be<br>> just as easy to implement as a module. Since modules will depend on<br>> the functionality, I want to avoid the logic of checking if the
<br>> module is enabled or not.<br>><br>> I took a look at how the blogapi module accomplishes<br>> authentication. It has $username,$password for each request, and<br>> does a user_load(...), which is alright, but I would like have a
<br>> shared authentication for web services rather than rolling a custom<br>> one for every module that needs it.<br>><br>> Privileges and access can be combined into a xmlrpc_check_token<br>> ($token,$privilege) function,
e.g:<br>><br>> xmlrpc_check_token($token,'access content')<br>><br>> It wouldn't take me long to write the code for this. I wanted some<br>> feedback from the community first before I dive into design/coding.
<br><br><br><br>Boris Mann<br>Vancouver 778-896-2747 San Francisco 415-367-3595<br>SKYPE borismann<br><a href="http://www.bryght.com">http://www.bryght.com</a><br><br></blockquote></div><br><br clear="all"><br>-- <br>Dan Karran
<br><a href="mailto:dan@karran.net">dan@karran.net</a><br><a href="http://www.dankarran.com">www.dankarran.com</a>