Important API Update - Security related changes
devbobo
Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
G'day All,
As part of our recent security changes, the API has been upgraded for all versions.
To give developers a chance to upgrade their apps or frameworks, the new changes will be rolled out in 3 phases, the timings of the 3 phases are yet to be determined...
Phase 1: Active NOW !!
- Return AlbumKey and ImageKey information where required
- Handle errors for invalid AlbumKey/ImageKey if sent
- No other errors returned
Phase 2: TBD
- Return errors for Images or Albums (that were created after the new implemention of keys) if the ImageKey or AlbumKey parameters aren't sent or are invalid
Phase 3: TBD
- Return errors for all methods where ImageKey or AlbumKey aren't sent.
The changes, the following methods all now return either AlbumKey or ImageKey...
- smugmug.albums.get (AlbumKey)
- smugmug.users.getTree (AlbumKey)
- smugmug.albums.create (AlbumKey)
- smugmug.images.getInfo (AlbumKey)
- smugmug.images,get (ImageKey)
- smugmug.images.upload (ImageKey)
- smugmug.images.uploadFromURL (ImageKey)
- all other upload methods (ImageKey)
The following methods will require AlbumKey to be sent in addition to AlbumID...
- smugmug.albums.getInfo
- smugmug.images.get
The following methods will require ImageKey to be sent in addition to ImageID...
- smugmug.images.getInfo
- smugmug.images.getURLs
- smugmug.images.getEXIF
Additionally, anyone using the random image url will need to add AlbumKey as below...
http://nickname.smugmug.com/photos/random.mg?AlbumID=[AlbumID]&AlbumKey=[AlbumKey]&Size=Tiny
Documentation will be updated to reflect these new changes very soon.
Application compatibility list:
StarExplorer, version 1.0.0.186
SendToSmugMug, version 1.1.8056.0
Lightroom Export plugin, version 20080221.37
phpSmug, versions 1.0.6 / 1.1.4
AlbumFetcher, version 0.3.3
fotoflot.com, version 2.0.2.1000+
SmugSaver, version 1.4
SmugBrowser, version 0.5.5
If you have any questions or problems, please let me know.
Cheers,
David
As part of our recent security changes, the API has been upgraded for all versions.
To give developers a chance to upgrade their apps or frameworks, the new changes will be rolled out in 3 phases, the timings of the 3 phases are yet to be determined...
Phase 1: Active NOW !!
- Return AlbumKey and ImageKey information where required
- Handle errors for invalid AlbumKey/ImageKey if sent
- No other errors returned
Phase 2: TBD
- Return errors for Images or Albums (that were created after the new implemention of keys) if the ImageKey or AlbumKey parameters aren't sent or are invalid
Phase 3: TBD
- Return errors for all methods where ImageKey or AlbumKey aren't sent.
The changes, the following methods all now return either AlbumKey or ImageKey...
- smugmug.albums.get (AlbumKey)
- smugmug.users.getTree (AlbumKey)
- smugmug.albums.create (AlbumKey)
- smugmug.images.getInfo (AlbumKey)
- smugmug.images,get (ImageKey)
- smugmug.images.upload (ImageKey)
- smugmug.images.uploadFromURL (ImageKey)
- all other upload methods (ImageKey)
The following methods will require AlbumKey to be sent in addition to AlbumID...
- smugmug.albums.getInfo
- smugmug.images.get
The following methods will require ImageKey to be sent in addition to ImageID...
- smugmug.images.getInfo
- smugmug.images.getURLs
- smugmug.images.getEXIF
Additionally, anyone using the random image url will need to add AlbumKey as below...
http://nickname.smugmug.com/photos/random.mg?AlbumID=[AlbumID]&AlbumKey=[AlbumKey]&Size=Tiny
Documentation will be updated to reflect these new changes very soon.
Application compatibility list:
StarExplorer, version 1.0.0.186
SendToSmugMug, version 1.1.8056.0
Lightroom Export plugin, version 20080221.37
phpSmug, versions 1.0.6 / 1.1.4
AlbumFetcher, version 0.3.3
fotoflot.com, version 2.0.2.1000+
SmugSaver, version 1.4
SmugBrowser, version 0.5.5
If you have any questions or problems, please let me know.
Cheers,
David
0
Comments
Have a look here for some details:
http://blogs.smugmug.com/don/2008/02/08/big-privacy-changes-at-smugmug/
If that doesn't clear things up yet, see any of your SmugMug galleries - they all now have some attachments to the gallery ID and photo ID:
http://cmac.smugmug.com/gallery/2504559_f3ta9#131481399_ZnZmK-A-LB
I hope this helps,
Sebastian
SmugMug Support Hero
SmugMug API Developer
My Photos
Hello,
Thanks for taking quick action on implementing this security change and incorporating it into the API.
I don't know how other developers have implemented their programs, but it seems it would be easier from a development standpoint to return the "id" and the "key" as a single "id" parameter (for example, "id=1234_abcd" instead of "id=1234&key=abcd"). Even if some developers have used the int type to store ids, it seems like the conversion to a string type would be less cumbersome to deal with then having to track and store 2 separate variables for each image/album.
This is just an observation and I'm sure other developers will have various input on how this impacts them.
Thanks again for all the work you do on the API.
Hey David,
It may be more efficient that way (for a developer
Cheers,
David
SmugMug API Developer
My Photos
OK, I understand.
A couple of questions:
It looks like some of the API methods (such as smugmug.albums.delete) still only require the "id" parameter. However, is it always safe to include both the id and the key parameters even if the API method only requires the id parameter and not the key parameter? For example, is the API designed to simply ignore parameters that are not required for the particular method being called?
yes, that's correct
SmugMug API Developer
My Photos
Dave, I have been wondering about this change in general.
I understand you guys won't change, I am just wondering about alternate solutions, more to learn than anything.
You couldn't use a GUID because it would be too complex, but you could add a random 4 digit code.
Wouldn't just appending a new say 8 digit integer code at the end be just as good, and not require any new API?
If say the last image number before the change was 1234567890
then the next image would be 1234567891<random number> for example 12345678912546532
Wouldn't this be just as secure, but good enough?
I guess, people couldn't use integers, and that would break applications?
awesome... thanks Nik
SmugMug API Developer
My Photos
urlToImage = webServer + "/gallery/" + AlbumID + "_" + AlbumKey + "/1/" + ImageID + "/Thumb";
How/where to I add the logic to obtain the ImageKey ????????
Thanks - jerryr
SmugMug Sites - Creative Examples
Favorite Images and SmugMug Designs
You need to either store it after the upload, or retrieve the image info later (you may need to get the list of images first if you don't know image id yet)
function fixPhotoNav()
{
oPhotoNav = YD.getElementsByClassName("photoNav", "div");
for (i=0; i < oPhotoNav.length; i++)
{
re = /gallery\/([\d]+)(_(\w+))?\//;
oTitle = YD.getElementsByClassName("title", "span", oPhotoNav);
if (re.test(window.location))
oTitle[0].innerHTML = "| " + oTitle[0].innerHTML + " |";
re.exec(window.location);
oPhotoNav.innerHTML = oPhotoNav.innerHTML + "<span ><a href=\"/gallery/" + RegExp.$1 + "\">return to album</a></span>";
}
}
Ok, here is what I discovered.
For previously created galleries, the modification above works fine.
For galleries recently created around the new security release, it takes you to the smugmug home page.
Check it out:
Created back in the Fall:
http://jrphotos.smugmug.com/gallery/3789668
No Issues - When you click on 'Return to Album' - takes you to the
albums thumbnails.
Created this past weekend:
http://jrphotos.smugmug.com/gallery/4311576
When you click on 'Return to Album' - takes you to the smugmug home page.
Any insight would be greatly appreciated - jerryr
SmugMug Sites - Creative Examples
Favorite Images and SmugMug Designs
May not be the right place.
This statement and others like it do not work. Any workaround or fix? Soon?
http://blue-dog.smugmug.com
http://smile-123.smugmug.com
http://vintage-photos.blogspot.com/
Canon 7D, 100-400L, Mongoose 3.5, hoping for a 500L real soon.
please see this thread.
SmugMug API Developer
My Photos
Hi jerry... I'm having the same issue... works for the old galleries and not the new ones... if you hover the "link" though, the url for the link shows as what we "wish it to be" but when you click you're taken to the SM homepage...
Seems to be a similar issue to that of the BZT hack... both work for old galleries, but not those created since the big change.... I hate change!!!
Any idea when API key distribution will resume? I've got ideas bouncing around in my head, and would like to get them into code before I forget...
I would also appreciate an ETA update for new API keys.
I would really apprecaite an update as well. I have a developer waiting on this and its holding up production. Thanks!
I've also been waiting for the new Keys. It was supposed to only be a few days, but it's gone beyond that. Any ETA on the new API keys?
This is really getting ridiculous. I must say I've been really disappointed by my trial at SmugMug. SmugMug does boast and have excellent response when you e-mail them with a concern or problem, but sadly it seems that it's all talk and no action. Apparently as other are other people, I've been waiting for API keys to become available again. I hesitantly decided, since I was told that the wait was not expected to be a long one, to go ahead and start my free trial in hopes that API keys would become available in the week or so. The responses of "soon, soon" are nice and all, but where are the real updates? I understand the reason for the suspension, but other than knowning that we are in Phase I, where are the real updates about exactly where things stand?? I'm still 6 months+ waiting for an API key over at flickr as well - this is turning into the exact same thing, except I've received replies from people here - though they don't seem to carry much backing.
Once phase II is active, I believe that we can start reissuing keys again, but I need to double check that with Don.
Cheers,
David
SmugMug API Developer
My Photos
If you're a 3rd party developer and your app is compatible with these changes, please let me know and I will add it to the list.
Cheers,
David
SmugMug API Developer
My Photos
Thanks, David, this is great idea!
I've got a script that uses an API key to pull in a list of all albums in my account, and all images in those albums. I then generate html with thumbnails of a few random images, linked to their actual gallery pages. While I can get the urls to link to photos in albums, I can't get the urls for the images themselves - images.get isn't returning enough info.
First, I do an albums.get and parse the XML. The XML for that page contains the keys for each album as well as the album ID, so now I can format the links correctly. Halfway there!
The problem now is the images - images.get with an AlbumID just returns a list of the image numbers, but not the keys associated with each.
http://api.smugmug.com/hack/rest/?method=smugmug.images.get&APIKey=-APIkey-&NickName=gmara&SessionID=-Sessid-&AlbumID=4437056&Heavy=1&AlbumKey=FcCNN
returns something that looks like:
<?xml version="1.0" encoding="utf-8" ?><rsp stat="ok">
<method>smugmug.images.get</method>
<0>260728629</0><1>260728654</1><2>260728678</2>
....
(with the Heavy=1 key in there, it *should* be getting more info, but its not.)
Now, the album ID, key and image ID are enough to link to an image. For example, the first image above in its gallery is at http://gmara.smugmug.com/gallery/4437056_FcCNN#260728629
However, to now get the thumbnail, I need to make this url:
http://gmara.smugmug.com/photos/260728629_D339S-Th.jpg
and I'm not sure how to get D339S, which must be the image key, and its not coming back with images.get.
Also, last but not least, my methods above *are* still working for all older galleries - its only the new one that this is broken for. (But it looks like that's expected for this phase.)
Am I just missing something silly here? Why aren't I getting more data from the images.get call?
Any kind of help would be much appreciated, especially if the next phase is going to break all the older galleries too!
Thanks,
-Tim
you should be using the endpoint...
http://api.smugmug.com/hack/rest/1.2.0/....
or http://api.smugmug.com/services/api/rest/1.2.1
SmugMug API Developer
My Photos
Hi All,
I need a new API key for a project. Any info on when these will be available again?
TIA,
- Mark
Swim for Them | WellmanHouse.net | AlbumFetcher | SmugShowBuilder
Hey guys - just another aspiring developer in line for an API key. I'm willing to work with the beta endpoint if can hand out keys that work with that.
Thanks
--Steve
I'm wating for an API Key
How can I get the API Key please help me...
and when you complete your security works?
Thanks