Important API Update - Security related changes

devbobodevbobo LR whispererMelbourne, AUPosts: 4,335Registered Users, Retired Mod SmugMug Employee
G'day All,

As part of our recent security changes, the API has been upgraded for all versions.

To give developers a chance to upgrade their apps or frameworks, the new changes will be rolled out in 3 phases, the timings of the 3 phases are yet to be determined...

Phase 1: Active NOW !!
- Return AlbumKey and ImageKey information where required
- Handle errors for invalid AlbumKey/ImageKey if sent
- No other errors returned

Phase 2: TBD
- Return errors for Images or Albums (that were created after the new implemention of keys) if the ImageKey or AlbumKey parameters aren't sent or are invalid

Phase 3: TBD
- Return errors for all methods where ImageKey or AlbumKey aren't sent.

The changes, the following methods all now return either AlbumKey or ImageKey...

- smugmug.albums.get (AlbumKey)
- smugmug.users.getTree (AlbumKey)
- smugmug.albums.create (AlbumKey)
- smugmug.images.getInfo (AlbumKey)

- smugmug.images,get (ImageKey)
- smugmug.images.upload (ImageKey)
- smugmug.images.uploadFromURL (ImageKey)
- all other upload methods (ImageKey)

The following methods will require AlbumKey to be sent in addition to AlbumID...

- smugmug.albums.getInfo
- smugmug.images.get

The following methods will require ImageKey to be sent in addition to ImageID...

- smugmug.images.getInfo
- smugmug.images.getURLs
- smugmug.images.getEXIF

Additionally, anyone using the random image url will need to add AlbumKey as below...

http://nickname.smugmug.com/photos/random.mg?AlbumID=[AlbumID]&AlbumKey=[AlbumKey]&Size=Tiny

Documentation will be updated to reflect these new changes very soon.

Application compatibility list:

StarExplorer, version 1.0.0.186
SendToSmugMug, version 1.1.8056.0
Lightroom Export plugin, version 20080221.37
phpSmug, versions 1.0.6 / 1.1.4
AlbumFetcher, version 0.3.3
fotoflot.com, version 2.0.2.1000+
SmugSaver, version 1.4
SmugBrowser, version 0.5.5

If you have any questions or problems, please let me know.

Cheers,

David
David Parry
SmugMug API Developer
My Photos
«1

Comments

  • GarethLewinGarethLewin Big grinning learning guy Posts: 95Registered Users Big grins
    edited February 8, 2008
    Sorry David, but I don't understand. Could you add to your post what albumkey and imagekey are?
  • rainforest1155rainforest1155 SmugMug Support Hero Posts: 4,492Registered Users Major grins
    edited February 8, 2008
    Gareth,

    Have a look here for some details:
    http://blogs.smugmug.com/don/2008/02/08/big-privacy-changes-at-smugmug/

    If that doesn't clear things up yet, see any of your SmugMug galleries - they all now have some attachments to the gallery ID and photo ID:
    http://cmac.smugmug.com/gallery/2504559_f3ta9#131481399_ZnZmK-A-LB

    I hope this helps,
    Sebastian
    Sebastian
    SmugMug Support Hero
  • devbobodevbobo LR whisperer Melbourne, AUPosts: 4,335Registered Users, Retired Mod SmugMug Employee
    edited February 8, 2008
    bump
    David Parry
    SmugMug API Developer
    My Photos
  • David PLDavid PL Big grins Posts: 80Registered Users Big grins
    edited February 8, 2008
    devbobo wrote:
    G'day All,

    As part of our recent security changes, the API has been upgraded for all versions.

    To give developers a chance to upgrade their apps or frameworks, the new changes will be rolled out in 3 phases, the timings of the 3 phases are yet to be determined...

    Phase 1: Active NOW !!
    - Return AlbumKey and ImageKey information where required
    - Handle errors for invalid AlbumKey/ImageKey if sent
    - No other errors returned

    Phase 2: TBD
    - Return errors for Images or Albums (that were created after the new implemention of keys) if the ImageKey or AlbumKey parameters aren't sent or are invalid

    Phase 3: TBD
    - Return errors for all methods where ImageKey or AlbumKey aren't sent.

    The changes, the following methods all now return either AlbumKey or ImageKey...

    - smugmug.albums.get (AlbumKey)
    - smugmug.users.getTree (AlbumKey)
    - smugmug.albums.create (AlbumKey)
    - smugmug.images.getInfo (AlbumKey)

    - smugmug.images,get (ImageKey)
    - smugmug.images.upload (ImageKey)
    - smugmug.images.uploadFromURL (ImageKey)
    - all other upload methods (ImageKey)

    The following methods will require AlbumKey to be sent in addition to AlbumID...

    - smugmug.albums.getInfo
    - smugmug.images.get

    The following methods will require ImageKey to be sent in addition to ImageID...

    - smugmug.images.getInfo
    - smugmug.images.getURLs
    - smugmug.images.getEXIF

    Additionally, anyone using the random image url will need to add AlbumKey as below...

    http://nickname.smugmug.com/photos/random.mg?AlbumID=[AlbumID]&AlbumKey=[AlbumKey]&Size=Tiny

    Documentation will be updated to reflect these new changes very soon.

    If you have any questions or problems, please let me know.

    Cheers,

    David

    Hello,

    Thanks for taking quick action on implementing this security change and incorporating it into the API.

    I don't know how other developers have implemented their programs, but it seems it would be easier from a development standpoint to return the "id" and the "key" as a single "id" parameter (for example, "id=1234_abcd" instead of "id=1234&key=abcd"). Even if some developers have used the int type to store ids, it seems like the conversion to a string type would be less cumbersome to deal with then having to track and store 2 separate variables for each image/album.

    This is just an observation and I'm sure other developers will have various input on how this impacts them.

    Thanks again for all the work you do on the API.
  • devbobodevbobo LR whisperer Melbourne, AUPosts: 4,335Registered Users, Retired Mod SmugMug Employee
    edited February 8, 2008
    David PL wrote:
    Hello,

    Thanks for taking quick action on implementing this security change and incorporating it into the API.

    I don't know how other developers have implemented their programs, but it seems it would be easier from a development standpoint to return the "id" and the "key" as a single "id" parameter (for example, "id=1234_abcd" instead of "id=1234&key=abcd"). Even if some developers have used the int type to store ids, it seems like the conversion to a string type would be less cumbersome to deal with then having to track and store 2 separate variables for each image/album.

    This is just an observation and I'm sure other developers will have various input on how this impacts them.

    Thanks again for all the work you do on the API.

    Hey David,

    It may be more efficient that way (for a developer :D), however it will potentially break a lot of existing apps, as the return type will no longer be an integer. Also, that would have resulted in me having to change nearly every single method to accomodate it.

    Cheers,

    David
    David Parry
    SmugMug API Developer
    My Photos
  • David PLDavid PL Big grins Posts: 80Registered Users Big grins
    edited February 9, 2008
    devbobo wrote:
    Hey David,

    It may be more efficient that way (for a developer :D), however it will potentially break a lot of existing apps, as the return type will no longer be an integer. Also, that would have resulted in me having to change nearly every single method to accomodate it.

    Cheers,

    David

    OK, I understand.

    A couple of questions:

    It looks like some of the API methods (such as smugmug.albums.delete) still only require the "id" parameter. However, is it always safe to include both the id and the key parameters even if the API method only requires the id parameter and not the key parameter? For example, is the API designed to simply ignore parameters that are not required for the particular method being called?
  • devbobodevbobo LR whisperer Melbourne, AUPosts: 4,335Registered Users, Retired Mod SmugMug Employee
    edited February 10, 2008
    David PL wrote:
    OK, I understand.

    A couple of questions:

    It looks like some of the API methods (such as smugmug.albums.delete) still only require the "id" parameter. However, is it always safe to include both the id and the key parameters even if the API method only requires the id parameter and not the key parameter? For example, is the API designed to simply ignore parameters that are not required for the particular method being called?

    yes, that's correct
    David Parry
    SmugMug API Developer
    My Photos
  • GarethLewinGarethLewin Big grinning learning guy Posts: 95Registered Users Big grins
    edited February 10, 2008
    devbobo wrote:
    yes, that's correct

    Dave, I have been wondering about this change in general.

    I understand you guys won't change, I am just wondering about alternate solutions, more to learn than anything.

    You couldn't use a GUID because it would be too complex, but you could add a random 4 digit code.

    Wouldn't just appending a new say 8 digit integer code at the end be just as good, and not require any new API?

    If say the last image number before the change was 1234567890

    then the next image would be 1234567891<random number> for example 12345678912546532

    Wouldn't this be just as secure, but good enough?

    I guess, people couldn't use integers, and that would break applications?
  • NikolaiNikolai Darth SLR Posts: 19,033Registered Users Major grins
    edited February 10, 2008
    S*E 184 is now compliant with the new "keys" system. Both album and image keys are used thouthough the system. :ivar
    "May the f/stop be with you!"
    Star*Explorer: on Dgrin, home; Master Class: open;
    Class is in session, My Facebook, @DarthSLR, #NiksTips
    member: NAPP, PPA, partner: Adobe
    Comprehending life, universe and everything - one pixel at a time
  • devbobodevbobo LR whisperer Melbourne, AUPosts: 4,335Registered Users, Retired Mod SmugMug Employee
    edited February 10, 2008
    Nikolai wrote:
    S*E 184 is now compliant with the new "keys" system. Both album and image keys are used thouthough the system. :ivar

    awesome... thanks Nik thumb.gif
    David Parry
    SmugMug API Developer
    My Photos
  • jerryrjerryr Smugmug Customization Posts: 539Registered Users Major grins
    edited February 10, 2008
    Hi - I am using this code presently to obtain the URL for an image(javascript):

    urlToImage = webServer + "/gallery/" + AlbumID + "_" + AlbumKey + "/1/" + ImageID + "/Thumb";

    How/where to I add the logic to obtain the ImageKey ????????

    Thanks - jerryr
  • NikolaiNikolai Darth SLR Posts: 19,033Registered Users Major grins
    edited February 11, 2008
    jerryr wrote:
    Hi - I am using this code presently to obtain the URL for an image(javascript):

    urlToImage = webServer + "/gallery/" + AlbumID + "_" + AlbumKey + "/1/" + ImageID + "/Thumb";

    How/where to I add the logic to obtain the ImageKey ????????

    Thanks - jerryr

    You need to either store it after the upload, or retrieve the image info later (you may need to get the list of images first if you don't know image id yet)
    "May the f/stop be with you!"
    Star*Explorer: on Dgrin, home; Master Class: open;
    Class is in session, My Facebook, @DarthSLR, #NiksTips
    member: NAPP, PPA, partner: Adobe
    Comprehending life, universe and everything - one pixel at a time
  • jerryrjerryr Smugmug Customization Posts: 539Registered Users Major grins
    edited February 14, 2008
    Hi - I thought I would post this here - might be more appropriate...

    function fixPhotoNav()
    {
    oPhotoNav = YD.getElementsByClassName("photoNav", "div");
    for (i=0; i < oPhotoNav.length; i++)
    {
    re = /gallery\/([\d]+)(_(\w+))?\//;
    oTitle = YD.getElementsByClassName("title", "span", oPhotoNav);
    if (re.test(window.location))
    oTitle[0].innerHTML = "| " + oTitle[0].innerHTML + " |";
    re.exec(window.location);
    oPhotoNav.innerHTML = oPhotoNav.innerHTML + "<span ><a href=\"/gallery/" + RegExp.$1 + "\">return to album</a></span>";
    }
    }


    Ok, here is what I discovered.
    For previously created galleries, the modification above works fine.
    For galleries recently created around the new security release, it takes you to the smugmug home page.
    Check it out:
    Created back in the Fall:
    http://jrphotos.smugmug.com/gallery/3789668
    No Issues - When you click on 'Return to Album' - takes you to the
    albums thumbnails.
    Created this past weekend:
    http://jrphotos.smugmug.com/gallery/4311576
    When you click on 'Return to Album' - takes you to the smugmug home page.
    Any insight would be greatly appreciated - jerryr
  • largelylivinlargelylivin Blue-Dog Posts: 561Registered Users Major grins
    edited February 14, 2008
    TemplateID doesn't work
    May not be the right place.

    This statement and others like it do not work. Any workaround or fix? Soon?
    http://smile-123.smugmug.com/homepage/templatechange.mg?TemplateID=7&origin=http://smile-123.smugmug.com/keyword/finished
    
    Brad Newby

    http://blue-dog.smugmug.com
    http://smile-123.smugmug.com
    http://vintage-photos.blogspot.com/

    Canon 7D, 100-400L, Mongoose 3.5, hoping for a 500L real soon.
  • devbobodevbobo LR whisperer Melbourne, AUPosts: 4,335Registered Users, Retired Mod SmugMug Employee
    edited February 14, 2008
    May not be the right place.

    This statement and others like it do not work. Any workaround or fix? Soon?
    http://smile-123.smugmug.com/homepage/templatechange.mg?TemplateID=7&origin=http://smile-123.smugmug.com/keyword/finished
    

    please see this thread.
    David Parry
    SmugMug API Developer
    My Photos
  • brandofamilybrandofamily Just a Guy with a Camera Illinois USAPosts: 1,974Registered Users Major grins
    edited February 16, 2008
    jerryr wrote:
    Hi - I thought I would post this here - might be more appropriate...

    function fixPhotoNav()
    {
    oPhotoNav = YD.getElementsByClassName("photoNav", "div");
    for (i=0; i < oPhotoNav.length; i++)
    {
    re = /gallery\/([\d]+)(_(\w+))?\//;
    oTitle = YD.getElementsByClassName("title", "span", oPhotoNav);
    if (re.test(window.location))
    oTitle[0].innerHTML = "| " + oTitle[0].innerHTML + " |";
    re.exec(window.location);
    oPhotoNav.innerHTML = oPhotoNav.innerHTML + "<span ><a href=\"/gallery/" + RegExp.$1 + "\">return to album</a></span>";
    }
    }


    Ok, here is what I discovered.
    For previously created galleries, the modification above works fine.
    For galleries recently created around the new security release, it takes you to the smugmug home page.
    Check it out:
    Created back in the Fall:
    http://jrphotos.smugmug.com/gallery/3789668
    No Issues - When you click on 'Return to Album' - takes you to the
    albums thumbnails.
    Created this past weekend:
    http://jrphotos.smugmug.com/gallery/4311576
    When you click on 'Return to Album' - takes you to the smugmug home page.
    Any insight would be greatly appreciated - jerryr

    Hi jerry... I'm having the same issue... works for the old galleries and not the new ones... if you hover the "link" though, the url for the link shows as what we "wish it to be" but when you click you're taken to the SM homepage...
    Seems to be a similar issue to that of the BZT hack... both work for old galleries, but not those created since the big change.... I hate change!!!
  • voytekvoytek Beginner grinner Posts: 4Registered Users Beginner grinner
    edited February 22, 2008
    devbobo wrote:
    NOTE: we have temporarily suspended giving out api keys until all the security features have been rolled out, we'll post here when the suspension has been lifted.

    If you have any questions or problems, please let me know.

    Cheers,

    David

    Any idea when API key distribution will resume? I've got ideas bouncing around in my head, and would like to get them into code before I forget...
  • ArcheographyArcheography Beginner grinner Posts: 1Registered Users Beginner grinner
    edited February 25, 2008
    Also waiting on API key
    I would also appreciate an ETA update for new API keys.
  • JshwazJshwaz Beginner grinner Posts: 2Registered Users Beginner grinner
    edited February 29, 2008
    Eta
    I would really apprecaite an update as well. I have a developer waiting on this and its holding up production. Thanks!
  • ClassBrainClassBrain ClassBrain Posts: 1Registered Users Beginner grinner
    edited February 29, 2008
    Also Waiting...Can't much longer
    I've also been waiting for the new Keys. It was supposed to only be a few days, but it's gone beyond that. Any ETA on the new API keys?
  • nirvanicnirvanic Beginner grinner Posts: 1Registered Users Beginner grinner
    edited March 1, 2008
    Very poor customer service / lack of updates
    This is really getting ridiculous. I must say I've been really disappointed by my trial at SmugMug. SmugMug does boast and have excellent response when you e-mail them with a concern or problem, but sadly it seems that it's all talk and no action. Apparently as other are other people, I've been waiting for API keys to become available again. I hesitantly decided, since I was told that the wait was not expected to be a long one, to go ahead and start my free trial in hopes that API keys would become available in the week or so. The responses of "soon, soon" are nice and all, but where are the real updates? I understand the reason for the suspension, but other than knowning that we are in Phase I, where are the real updates about exactly where things stand?? I'm still 6 months+ waiting for an API key over at flickr as well - this is turning into the exact same thing, except I've received replies from people here - though they don't seem to carry much backing.
  • devbobodevbobo LR whisperer Melbourne, AUPosts: 4,335Registered Users, Retired Mod SmugMug Employee
    edited March 1, 2008
    I am hoping that we will be able to move into this phase II this week, but that is based making sure that a few 3rd party products that are commonly used have implemented the new security features and a new version of the MacUploader.

    Once phase II is active, I believe that we can start reissuing keys again, but I need to double check that with Don.

    Cheers,

    David
    David Parry
    SmugMug API Developer
    My Photos
  • devbobodevbobo LR whisperer Melbourne, AUPosts: 4,335Registered Users, Retired Mod SmugMug Employee
    edited March 1, 2008
    The original post now has an application compatibility list.

    If you're a 3rd party developer and your app is compatible with these changes, please let me know and I will add it to the list.

    Cheers,

    David
    David Parry
    SmugMug API Developer
    My Photos
  • NikolaiNikolai Darth SLR Posts: 19,033Registered Users Major grins
    edited March 1, 2008
    devbobo wrote:
    The original post now has an application compatibility list.

    If you're a 3rd party developer and your app is compatible with these changes, please let me know and I will add it to the list.

    Cheers,

    David

    Thanks, David, this is great idea!thumb.gif
    "May the f/stop be with you!"
    Star*Explorer: on Dgrin, home; Master Class: open;
    Class is in session, My Facebook, @DarthSLR, #NiksTips
    member: NAPP, PPA, partner: Adobe
    Comprehending life, universe and everything - one pixel at a time
  • timpicstimpics Beginner grinner Posts: 7Registered Users Beginner grinner
    edited March 2, 2008
    images.get doesn't return Image Keys?
    I've got a script that uses an API key to pull in a list of all albums in my account, and all images in those albums. I then generate html with thumbnails of a few random images, linked to their actual gallery pages. While I can get the urls to link to photos in albums, I can't get the urls for the images themselves - images.get isn't returning enough info.

    First, I do an albums.get and parse the XML. The XML for that page contains the keys for each album as well as the album ID, so now I can format the links correctly. Halfway there!

    The problem now is the images - images.get with an AlbumID just returns a list of the image numbers, but not the keys associated with each.

    http://api.smugmug.com/hack/rest/?method=smugmug.images.get&APIKey=-APIkey-&NickName=gmara&SessionID=-Sessid-&AlbumID=4437056&Heavy=1&AlbumKey=FcCNN

    returns something that looks like:
    <?xml version="1.0" encoding="utf-8" ?><rsp stat="ok">
    <method>smugmug.images.get</method>
    <0>260728629</0><1>260728654</1><2>260728678</2>
    ....

    (with the Heavy=1 key in there, it *should* be getting more info, but its not.)

    Now, the album ID, key and image ID are enough to link to an image. For example, the first image above in its gallery is at http://gmara.smugmug.com/gallery/4437056_FcCNN#260728629

    However, to now get the thumbnail, I need to make this url:
    http://gmara.smugmug.com/photos/260728629_D339S-Th.jpg

    and I'm not sure how to get D339S, which must be the image key, and its not coming back with images.get.


    Also, last but not least, my methods above *are* still working for all older galleries - its only the new one that this is broken for. (But it looks like that's expected for this phase.)

    Am I just missing something silly here? Why aren't I getting more data from the images.get call?

    Any kind of help would be much appreciated, especially if the next phase is going to break all the older galleries too!


    Thanks,
    -Tim
  • devbobodevbobo LR whisperer Melbourne, AUPosts: 4,335Registered Users, Retired Mod SmugMug Employee
    edited March 2, 2008
    timpics wrote:
    I've got a script that uses an API key to pull in a list of all albums in my account, and all images in those albums. I then generate html with thumbnails of a few random images, linked to their actual gallery pages. While I can get the urls to link to photos in albums, I can't get the urls for the images themselves - images.get isn't returning enough info.

    First, I do an albums.get and parse the XML. The XML for that page contains the keys for each album as well as the album ID, so now I can format the links correctly. Halfway there!

    The problem now is the images - images.get with an AlbumID just returns a list of the image numbers, but not the keys associated with each.

    http://api.smugmug.com/hack/rest/?method=smugmug.images.get&APIKey=-APIkey-&NickName=gmara&SessionID=-Sessid-&AlbumID=4437056&Heavy=1&AlbumKey=FcCNN

    returns something that looks like:
    <?xml version="1.0" encoding="utf-8" ?><rsp stat="ok">
    <method>smugmug.images.get</method>
    <0>260728629</0><1>260728654</1><2>260728678</2>
    ....

    (with the Heavy=1 key in there, it *should* be getting more info, but its not.)

    Now, the album ID, key and image ID are enough to link to an image. For example, the first image above in its gallery is at http://gmara.smugmug.com/gallery/4437056_FcCNN#260728629

    However, to now get the thumbnail, I need to make this url:
    http://gmara.smugmug.com/photos/260728629_D339S-Th.jpg

    and I'm not sure how to get D339S, which must be the image key, and its not coming back with images.get.


    Also, last but not least, my methods above *are* still working for all older galleries - its only the new one that this is broken for. (But it looks like that's expected for this phase.)

    Am I just missing something silly here? Why aren't I getting more data from the images.get call?

    Any kind of help would be much appreciated, especially if the next phase is going to break all the older galleries too!


    Thanks,
    -Tim

    you should be using the endpoint...

    http://api.smugmug.com/hack/rest/1.2.0/....

    or http://api.smugmug.com/services/api/rest/1.2.1
    David Parry
    SmugMug API Developer
    My Photos
  • burnburn Beginner grinner Posts: 7Registered Users Beginner grinner
    edited March 3, 2008
    API Keys?
    Hi All,

    I need a new API key for a project. Any info on when these will be available again?

    TIA,

    - Mark
  • wellmanwellman Swimming for Them Posts: 961Registered Users Major grins
    edited March 3, 2008
    AlbumFetcher v0.3.3 is available. The new version makes AlbumFetcher play nice with SmugMug's new security hotness. Enjoy!
  • stevexstevex Beginner grinner Posts: 4Registered Users Beginner grinner
    edited March 11, 2008
    Waiting for an API Key
    Hey guys - just another aspiring developer in line for an API key. I'm willing to work with the beta endpoint if can hand out keys that work with that.

    Thanks
    --Steve
  • pro200pro200 Beginner grinner Posts: 1Registered Users Beginner grinner
    edited March 14, 2008
    How can I get the API Key?
    I'm wating for an API Key
    How can I get the API Key please help me...
    and when you complete your security works?

    Thanks
Sign In or Register to comment.