Greasemonkey and the SmugMug API
lukebaker
Registered Users Posts: 8 Beginner grinner
What would be the proper way to do API authentication when using the API from a Greasemonkey script that runs when a SmugMug user is logged in and at their SmugMug site?
I don't want to prompt for a password as the user is already logged into the SmugMug site. I've tried a few different things that seem to work, but I'm not sure if there's a proper way to acheive this.
Currently, what seems to work is to have my script call 'smugmug.login.anonymously'. Then for subsequent API calls, I send the user's 'SMSESS' cookie as the API's SessionID. I've had erratic behavior when trying to get all this to work, so I thought I'd check to see if there is a proper way to do this. Thanks.
I don't want to prompt for a password as the user is already logged into the SmugMug site. I've tried a few different things that seem to work, but I'm not sure if there's a proper way to acheive this.
Currently, what seems to work is to have my script call 'smugmug.login.anonymously'. Then for subsequent API calls, I send the user's 'SMSESS' cookie as the API's SessionID. I've had erratic behavior when trying to get all this to work, so I thought I'd check to see if there is a proper way to do this. Thanks.
0
Comments
It really depends on what your script is doing and what you class as erratic behaviour.
I am thinking that it may not be a good idea to always call "smugmug.login.anonymously" as this method will overwrite the user's "logged in" session cookie if they happen to be.
Give me a few more details and I will work through it with you.
Cheers,
David
SmugMug API Developer
My Photos
- User logs into www.smugmug.com.
- User visits username.smugmug.com.
- My Greasemonkey script grabs their album information, including private albums via the API.
I think I've narrowed down the erratic behavior I was seeing, which can be repeated in a browser.- Logout of smugmug.com
- Clear cookies associated with .smugmug.com
- Log into smugmug.com
- Open new tab and go to: http://api.smugmug.com/hack/json/1.2.0/?APIKey=key&method=smugmug.albums.get&NickName=username (replace key and username with valid a valid key and the username you logged in with)
- Response from API is invalid key.
- Open new tab and go to: http://api.smugmug.com/hack/json/1.2.0/?APIKey=key&method=smugmug.login.anonymously (this will alter the SMSESS cookie as you said)
- Refresh the 'smugmug.albums.get' tab.
- Response from API is only the public albums.
- In initial tab, navigate to some smugmug page, like username.smugmug.com.
- The change in SMSESS cookie from the call to login.anonymously did not result in a logout (as this user is still logged in while using the altered SMSESS cookie).
- Refresh the 'smugmug.albums.get' tab.
- Response has all the albums of the user including private ones.
It appears a call to any of the login methods sets a new SMSESS cookie in the browser, even calls that result in errors. Furthermore, the above instructions work when sending bogus login.withHash or login.withPassword API calls instead of login.anonymously (where bogus is when you don't send a hash or password).Obviously, I could do all of these steps in my script (behind the scenes), but that would be fairly cumbersome, so if there were a better way to do it that'd be super. I think ideally there'd be a login method in the API that would be passed an existing SessionID (SMSESS cookie value) to associate with an API key, and this method would not change the SMSESS cookie and allow the API key all the authorization that the SMSESS cookie had / has.
Luke,
Here's where I think the issue might be. The API will return invalid key, if you try to associate a session with a different API key than what was used to generate it. That is definitely what you are seeing in the step above.
The answer is not to send the API Key with any methods except smugmug.login.xxxx.
Try that and see how you go.
Cheers,
David
SmugMug API Developer
My Photos
SmugMug API Developer
My Photos