Monday, September 26, 2011

Project Genesis: Report 2

Another week, another report.

Last week was more focused than the first week. The main task was getting the login procedure and authentication up and running. Easier said than done, the week has really been one long problem.

Last week
My main goal was to get the authentication in place. I found the OmniAuth plugin for Rails which I've used to get support for Facebook, Twitter and Google. I could add more services later on but these three will do for now.

When I had a working OAuth consumer up and needed to expose an API for 3rd party applications (such as Stoffi Music Player and Project Remote) to authenticate and call protected API calls. I found a plugin which turns a Rails application using a standard authentication system (such as restful_authentication which we use) into a OAuth provider.

After installing the plugin I tweaked the login pages and managed to create a small OAuth consumer in C#. I could login and call a protected API call (which at this time is just dummy call requiring OAuth authentication).

Due to the problems encountered I have not had time to integrate the CAPTCHA test and I will postpone that part to later since my main focus right now is to get the basic flow working.

Challenges
Creating an OAuth consumer in Rails was not much of a challenge but creating a consumer in .NET and creating a working flow in the Rails provider turned out to be quite a problem. After several hours I have finally got most of it working but there are a few quirks left.

For one, if you authenticate in the application you get the Stoffi login form. The form contains buttons to authenticate using Facebook, Twitter and Google. If you use any of these you will get redirected to the service's login form and asked to authorize Stoffi to access your account. After authorization you get redirected back to the start page of Stoffi. Instead you should get redirected back to the first OAuth flow between the application and Stoffi.

Secondly, it seems that Stoffi will not remember the applications you have authorized to access your account. It is possible to list (and revoke) all authorized applications but when you login in the application via OAuth it will ask you if you want to authorize the application, even though you may already have done that. I am not sure why this is happening, if the problem is with the provider part or with the consumer part. I shall investigate further.

This week
This week I hope I will be able to get the OAuth flow working perfectly. I will extend the dummy share API call to actually share a track on all connected services. I will also see if I can get some basic integration with Facebook's new Open Graph.

By the end of the week I should also have at least a full specification of the configuration API and hopefully a few API calls up and running as well.

Challenges
The only challenge that I see right now is to resolve the issues from last week. If I get that part working I think the rest will be a pretty smooth ride.