开发者

How authenticate Google wave gadget viewer on Appengine?

开发者 https://www.devze.com 2022-12-12 10:16 出处:网络
Imagine I want to create game \"Rock-paper-scissors\" for Google Waves. I am thinking to implement it as a Wave Gadget.

Imagine I want to create game "Rock-paper-scissors" for Google Waves. I am thinking to implement it as a Wave Gadget.

The idea is simple: all participants send their decisions to my cloud app (it is an Appengine Java Application), my server part collects this data and does not share to anybody until all participants complete their selection. After this the selection is shared to all participants and the winner is determined.

I can use wave.getViewer().getId() to identify user on the server during gadgets.io.makeRequest. I works perfectly. But how can I, on the server side, make sure that the incoming request is really from this specific wave user? (How can I approve that wave's participant id is not hacked on the client side? Any wave container signature allowing d开发者_StackOverflow中文版etermine wave participant id is available?)

What are the best practices for google wave participant authentication on my appengine side? Please provide examples if possible.

My actual gadget is more complicated but the problem is as described above.


I would code against an imagined future solution that is baked directly into the Wave protocol or API and hope that nobody spoofs participant IDs. You could also contact the Wave team to make your need for the feature known and see if anyone else is looking for the same.

It looks like there is some OpenAuth integration already built-in for robots: http://wave-robot-java-client.googlecode.com/svn/trunk/doc/index.html

Would you be able to implement a robot instead of a gadget? Or maybe use a robot for auth and have the gadget interface with your own auth tokens server-side?


As far as I can tell there is no "easy" way of doing this because all the communication with gadgets is directly between the client and the gadget, without Google interference for anything but the gadget's XML description.

The only way I can think off the top of my head is to have your users "log in" to the gadget's iframe with the accounts feature of Google App Engine. This would ensure they are indeed whoever they log in as.


How can I approve that wave's participant id is not hacked on the client side?

How can a user hack his wave patricipant id? I think there's no problem, wave.getViewer().getId() should be right.


I think you'd want to look into making a wave ROBOT instead of a GADGET. There is a difference.

Robots are wave-aware, gadgets are not.

Wave Robot API: http://code.google.com/apis/wave/extensions/robots/

0

精彩评论

暂无评论...
验证码 换一张
取 消