I have managed to create a basic API for accounts while also finding time to try to experiment with a new CAPTCHA system for multiple input systems.
Last week I created a first draft on the website interface. I have decided to use the colors of the Swedish flag as a tribute to its home country.
So far I have a basic RESTful API up and ready where you can create user accounts (register), manage session (login and logout) and delete accounts.
I have also experimented with some new way to have a computer system perform a reverse-turing test to determine if a request is originating from a human or another computer. The main aim here is to make the test work well on both desktop computers and touch capable smartphones and tables.
I decided to go in the same direction as a team over at Google (report). This system will basically hand out a test that must be passed before any request to perform protected requests (such as creating accounts or deleting them). The test is currently available in both JSON and XML format along with a HTML front for it which can be used by AJAX as part of a form). The test contains three images and a string called the "path". The images has been arbitrarily rotated by the server and the path identifies a storage on the server containing the three correct rotations.
An interesting side-effect of this system is that I get to put out some nice pictures. For this particular experiment I picked photographs portraying parts of my origin hometown with some pictures of the nature of Sweden in general. I will try to arrange for the rights to some nice images fitting in that theme.
I aim to have support to use your Facebook account in order to make the whole process easier. I have created a website before which uses Facebook Connect to accomplish this. However, since that time Facebook has changed a lot of their APIs (renaming it Facebook for Websites) and are now using OAuth 2.0 for authorization. They still have some of their legacy API parts left but they have been marked as "deprecated".
I have thus decided to make Project Genesis support OAuth 2.0 as a client (consumer). I have considered using OAuth 2.0 as a server (service provider) in order to secure our users password. As of right now, any 3rd party accessing our API will be able to read (and store) the password of the user whom sign into Stoffi through their application. However, the first priority is to get the client part working. If there is time a proper server implementation of our API will be created.
This will allow us to further expand to other services using OAuth 2.0 later with very little effort. Such services includes:
- Google Plus
- Live Messenger
This will give Project Genesis the ability to continously bring Stoffi into the social cyberworld. Giving it a bright future.
This week I will start by adding client OAuth to authenticate using Facebook. I will also add some API calls for sharing. I will also make the user calls protected using the new captcha system.
The main challenge here is to make it possible for a third party (such as Stoffi Music Player or Project Remote) to authenticate and use the API. I have to weigh in both privacy issues and available time. We'll see what I decide for.