Advice from my Experience with OAuth

Posted on Friday, July 2, 2010 by Seán Hayes

I recently finished coding the OAuth authentication method for accessing Picasa photos from within Darkroom. Since it was written client side using JavaScript I was trying to be as minimalist as possible, so I wrote my own minimal implementation rather than using a library. I’m sure most developers using OAuth use a library, which is probably why it’s hard to find advice on writing your own implementation, so I thought I’d share some tips, FAQ style.

Use the right documentation.
There’s a lot of outdated docs out there. I frequently find myself at OAuth Core 1.0 Revision A, and it’s such a pretty page, easy on the eyes, but way at the top where you’re likely to miss it is a notice saying it’s obsolete. The notice says to use RFC 5849: The OAuth 1.0 Protocol, and although hideous, it’s up to date and more complete.

How’s the signature algorithm written?
Here’s some pseudo-code:

If you’re writing in JavaScript as well I recommend Crypto-JS.

What’s the format for the timestamp?
It’s just a UNIX timestamp (in seconds).

How do I generate a nonce value?
The OAuth spec just says it’s a random string. I think the Google documentation says something about using a string representation of a 64 bit integer. I had no idea what they were talking about, but somewhere I read you just need to md5 hash a random integer, and it worked for me.

If developing for a Google service, use their OAuth playground.
Their OAuth Playground is a great way to see the process you have to go through and what the requests look like. If trying to authenticate with another provider see if they also have an API test app.

Don’t expect detailed errors.
You’ll be lucky if the response tells you “signature invalid”, but you won’t be told what’s wrong with it. My strategy was to compare my signatures and parameters to those used by the Google Playground; taking values from there that you know are valid and using them to test your code is a good way to debug.

The scope parameter has to EXACTLY match the URLs used in your API calls
In the Google OAuth Playground, selecting “Picasa Web” will input “https://picasaweb.google.com/data/” for the scope. Note the use of https:// for the protocol. If you make API calls using that URL, it will fail since none of the Picasa services are served over https. If you try to make calls using regular http you will get an OAuth error saying invalid scope. In order for it all to work, you have to use “http://picasaweb.google.com/data/” for the scope.

Posted in Web Design & Development | Tagged , , , , , , , | Leave a comment

Setting up SSL on Apache

Posted on Friday, July 2, 2010 by Seán Hayes

While locally testing Darkroom over HTTPS, Firefox gave me the following error: “Error code: ssl_error_rx_record_too_long”. Turns out I’d never configured the Apache instance on my laptop to use SSL.

Once you’ve got the right information it’s really quick to fix. Here’s 2 links that I found helpful:

Generating an SSL Certificate with Apache+mod_ssl
Has the commands you need for generating a self signed certificate.

If while generating the certificate you get the error “unable to write ‘random state’”, you’ll need to chown the .rnd file (sudo chown user:group ~/.rnd) and try again.
I put all the generated files in /etc/apache2/ssl/.

How to get Apache to do both HTTP and HTTPS on one IP address?
Shows the basic Apache configuration needed for HTTPS. To get HTTPS working, I just copied my existing virtual host definition, modified it to use the port 443, and added the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile directives.

Here’s a copy of my file:

Posted in Web Design & Development | Tagged , , , | Leave a comment

MugTug Darkroom, Online/Offline Photo Editing

Posted on Thursday, May 20, 2010 by Seán Hayes

For those of you who don’t know, a few weeks ago I joined a project called Darkroom from MugTug.com. It’s an image processing application using cutting edge HTML 5 features such as the <canvas> element, localStorage, and application cache, and all the editing (and most of the GUI) is done client side using JavaScript, so it works even without an Internet connection.

Yesterday it was demoed during the Google I/O 2010 Keynote Speech:

There’s currently a development version live, feel free to visit the site and try it out!

Posted in About, Web Design & Development | Tagged , , , , , , , , , | Leave a comment

Fixing Flash

Posted on Thursday, May 6, 2010 by Seán Hayes

After upgrading Ubuntu I had some problems with Flash not working. I read the following threads and combined information from both to solve my problem:
http://ubuntuforums.org/showthread.php?t=1244048
http://ubuntuforums.org/showthread.php?t=1373582

Run the following commands in a terminal to remove existing Flash files:

sudo apt-get remove -y –purge flashplugin-nonfree gnash gnash-common mozilla-plugin-gnash swfdec-mozilla libflashsupport nspluginwrapper
sudo rm -f /usr/lib/mozilla/plugins/*flash*
sudo rm -f ~/.mozilla/plugins/*flash*
sudo rm -f /usr/lib/firefox/plugins/*flash*
sudo rm -f /usr/lib/firefox-addons/plugins/*flash*
sudo rm -rfd /usr/lib/nspluginwrapper
sudo rm -rf /usr/lib/flashplugin*

Then run the following command to install the correct version of Flash:

sudo apt-get install flashplugin-installer

Posted in Troubleshooting | Tagged , , | Leave a comment

Using a Test Database in Django

Posted on Saturday, January 9, 2010 by Seán Hayes

As I mentioned in my previous post, we’re using MySQL on our development machines. It has several advantages, but one of the drawbacks is unittests run slower when not using Sqlite (big ups to MockSoul for posting his benchmarks). The reason for this is when running unittests in Django with a Sqlite database, the database is run in memory (RAM) instead of being written to the disk.

Django only allows you to specify one database, and although a new database is created for unittests, it still uses most of the same settings (auto prepending “test_” to the database name), which means a Django install using MySQL also uses MySQL for unittests.

To get around this problem, I created a file in my project root called test_settings.py containing the following lines:

I then opened my settings.py, imported sys, and inserted the following lines at the end of the file:

If one of the command line arguments is “test”, that means a unittest is being run, in which case Django will attempt to import test_settings.py, which will override the database settings and use Sqlite instead. Migrations won’t be an issue, since Django South uses the old syncdb command for generating databases for unittests.

Hope this helps you save some time testing.

Posted in Web Design & Development | Tagged , , , , , | Leave a comment

Cross Database Incompatibility Using Django South

Posted on Saturday, January 9, 2010 by Seán Hayes

When our team (at Govnex) started using South Migrations we encountered a cross-database compatibility issue. I was using MySQL on my local machine for its performance and so I could browse the database using phpMyAdmin, while our other members were using Sqlite on their local machines. The problem we encountered was migrations that worked my machine running MySQL were failing on their machines running Sqlite. We discovered the cause was some NOT NULL fields in our models which didn’t have defaults defined; the NOT NULL fields with no defaults were working fine in Sqlite when created using syncdb, so apparently it’s only when updating a table in Sqlite that they require defaults (this a caveat of Sqlite, not Django South).

Our immediate solution was to add default values to the necessary fields. However, in the end we decided to switch to MySQL on our development machines in order to ensure no future issues arise that might prevent our development code from working on our production server, which also runs MySQL. Hope this helps anyone who might be having the same issue.

Posted in Web Design & Development | Tagged , , , , , , , | Leave a comment

Web Dev Bash Utils

Posted on Thursday, October 22, 2009 by Seán Hayes

I’ve just open sourced these bash scripts I wrote for web development. They’re available on GitHub.

Unfortunately they were written for use on a strict Unix environment with an outdated version of bash and without the benefit of GNU extensions (I was not the administrator), so they don’t currently work on Linux. My next step is to port them to Linux, and any help would be appreciated.

Posted in Web Dev Bash Utils | Tagged , , , , , , | Leave a comment

Does the Brain Like E-Books?

Posted on Sunday, October 18, 2009 by Seán Hayes

“Does the Brain Like E-Books?”, NY Times

Due to the distractions and time constraints on the Internet, I wonder if publishing is going to change in a way that it would be just as attention grabbing if it were on a computer. I don’t think it would constitute an appeasement to digital consumers, but simply attention to usability concerns. Usability is something that’s thought a lot about in web design in order to make sure the content is accessible to a wide audience, but I don’t think the same care has been put into books. With books it’s up to the reader to self-motivate and finish several hundred pages, and it’s expected that the people reading the book are people who like reading a lot and have the time to do so. On the web, content tends to be optimized to hold the reader’s attention, since statistics show they’ll only hang around for 3 minutes. If it does change, this could be yet another way new technology will make information more accessible to under-served audiences.

Posted in Web Design & Development | Tagged , , , | Leave a comment

Whitespace Management: Use Tabs, Spaces Considered Harmful

Posted on Friday, October 9, 2009 by Seán Hayes

At one of my previous jobs I worked on dozens of websites that had been created by other people. I prefer to use tabs instead of spaces when indenting code, and I can get a little OCD sometimes, so every time I edited a file I would do a search and replace to change every 4 spaces to a tab character. I didn’t like the idea of having some files use spaces while others used tabs, so when I wrote a bash script for recursively searching and replacing inside text files throughout an entire directory structure, I added some code that would clean up the white space as well. The actions it performed were:

  • Converting from Windows (“\r\n”) or Mac (“\r” on older versions) end of line encodings to Unix style encodings (just “\n”)
  • Removing trailing whitespace from the end of lines
  • Condensing multiple blank lines to single blank lines
  • And most importantly, converting every 4 spaces to a tab character

I had anticipated that this would save some disk space, but I was surprised by how much; after running the bash script, the total size of each website would decrease by 10-50% (that’s not a typo, fifty), and that’s including binary files such as images and PDFs which were unchanged. Think about the impact that has. Every individual whitespace character takes up 1 byte, bytes which have to be stored on disk, loaded into memory, transferred over a network, loaded into the client’s memory, and iterated past when it gets processed by the browser. Whitespace management saves:

  • Disk Space
  • RAM
  • Processing Power
  • Bandwidth

which in turn helps save:

  • Money
  • Electricity
  • the Environment

It also helps you provide a better user experience. When browsing the Internet, I’d much rather download a 5KB HTML file than a 10KB one, since it’ll download faster and render faster.
(On a side note, generally these are all also benefits of writing standards compliant, semantic XHTML with external CSS and JS.)

Another reason I prefer tabs to spaces is, when browsing code it’s easier to tell if the proper levels of indentation are being used. If there’s one space missing or one additional space it can sometimes be hard to tell, but if a tab character is missing it’s very obvious. Also, most text editors allow you to specify how wide a tab character should be displayed, so if one developer likes 8 space indentation width, another likes 4 spaces, and another likes 2 spaces, they can all use the same code containing tabs and configure their respective editors to display the tab character at their preferred width. If you were to use 4 space characters for each indentation level, the developers who like 8 and 2 spaces are forced to use it as well.

Posted in Web Design & Development | Tagged , , , , | 1 Comment

Survey of Best Programming Practices

Posted on Wednesday, October 7, 2009 by Seán Hayes

I was having a talk today with some colleagues about the scarcity of web developers, and even software engineers, who use best practices such as:

  • using version control
  • using a bug tracker
  • writing unit tests
  • using a programming framework

In all honesty, I didn’t do any of these before my current job at Govnex (aside from a little dabbling with CakePHP), nobody at my first 2 web development jobs did any of these, and we didn’t learn about any of this stuff in college. As far as I know, nobody I knew at RIT followed these practices except for maybe using a framework. Of all the job descriptions I’ve read in the past few years, only a handful mentioned using a framework, and only a couple mentioned anything about unit tests or version control; none of them mentioned the use of bug tracking software. One of my colleagues said that these practices are common among all developers, while my other colleague agreed with me that they’re hard to find.

What do you think? I’ve created a 6 question Google Apps form for collecting survey data and made the results public, it would be a big help if you could fill it out. Afterwards, please share your comments below.

Posted in Web Design & Development | Tagged , , , , , , | 1 Comment