[development] Token-based web service authentication to core

Boris Mann boris at bryght.com
Tue Jan 24 17:04:30 UTC 2006


All:

See http://drupal.org/node/46145

I'm going to make sure that Ben is signed up to the dev list. He's on  
the board of the PHP User's Group here in Vancouver and is a pretty  
kick ass programmer. For now, making sure this gets the views it  
deserves.

This opens the door to the type of interactions that, e.g. Flickr,  
does remotely, and lots of rich inter-site functionality.

> I'm building a new website in Drupal and there are some  
> administrative web services that I would like to make available to  
> middleware together a legacy system. I did some research into  
> Drupal's XMLRPC system and figured that token based authentication  
> in the core would be useful.
>
> This is what I have sketched out on a napkin:
>
> Scenario:
> Client wants to create some new data in the system. This is the  
> process:
>
> 1. Client requests a service token, sends username/password of a  
> Drupal user
> 2. Drupal loads the $user matching the crudentials
> - creates a random alphanumeric token to send back to the user
> - serializes, and caches the $user object, key = md5(token + ip  
> address of client)
> - sends the token back to the client
> 3. Client makes an RPC call to say: module.createListing($token, 
> $arg1,$arg2,...)
> 4. In createListing(...)
> -- Checks the token, if valid does it's thing, otherwise, returns  
> an error message.
>
> I think it would take a fairly small amount of code to accomplish  
> the above. I haven't given a lot of thought about Drupal's external  
> authentication system though. I'm not too familiar with it, but  
> maybe somebody can fill me it. For this system I may write my own  
> version of user_authenticate() without the variable_get 
> ('user_register',1) in it so some malicous person doesn't create an  
> unlimited number of random users in the system.
>
> Any thoughts or previous work on this?
> I would like it to be implemented in core, but it would probably be  
> just as easy to implement as a module. Since modules will depend on  
> the functionality, I want to avoid the logic of checking if the  
> module is enabled or not.
>
> I took a look at how the blogapi module accomplishes  
> authentication. It has $username,$password for each request, and  
> does a user_load(...), which is alright, but I would like have a  
> shared authentication for web services rather than rolling a custom  
> one for every module that needs it.
>
> Privileges and access can be combined into a xmlrpc_check_token 
> ($token,$privilege) function, e.g:
>
> xmlrpc_check_token($token,'access content')
>
> It wouldn't take me long to write the code for this. I wanted some  
> feedback from the community first before I dive into design/coding.



Boris Mann
Vancouver 778-896-2747 San Francisco 415-367-3595
SKYPE borismann
http://www.bryght.com



More information about the development mailing list