Opened 13 years ago
Closed 12 years ago
#2335 closed enhancement (wontfix)
Usecase for new handler in dojo.io.bind
Reported by: | guest | Owned by: | James Burke |
---|---|---|---|
Priority: | high | Milestone: | 1.0 |
Component: | IO | Version: | 0.4.1 |
Keywords: | bind | Cc: | |
Blocked By: | Blocking: |
Description
I am accessing the FlickrAPI via JSONP and ScriptSrcIO. Some parts of the API require authentication, authenticated requests need to be signed.
Signed requests are typically done like this : http://www.flickr.com/services/api/auth.howto.desktop.html
Requests signed by making an MD5 hash of the alphabetically sorted request params and their data with a token etc., then adding this as an extra parameter (etc. etc.).
When you use ScriptSrcIO with JSONP and the jsonParamName kwArg option, extra parameters get added during the call to dojo.io.bind, meaning that you cannot accurately sign the request before calling it.
The solution I am thinking of is to add yet another optional parameter to kwArgs, something like :
preFlightHandler: function(query) { final adjustments to Request query }
The preFlightHandler would then be called as the last code able to add parameters to the Request.
It would probably be more convenient to have a Map of the request params passed to the handler, but this would require a big re-write of the bind code, as it starts working with just a query string very early on.
Change History (2)
comment:1 Changed 12 years ago by
Milestone: | → 1.0 |
---|
comment:2 Changed 12 years ago by
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Looking at this more, I'm not sure this is a good idea. The request signatures for APIs like this (Flickr and AOL's OpenAuth?), require using a shared secret. Normally this shared secret should not be visible, but it will be if used in JavaScript? in the browser.
I do not think we want to encourage that use case, even though it is something I have done before. It also makes another function argument we have to explain in the docs, for a very rare case. So I'm going to mark as wontfix. You can still get sort of what you want by overriding dojo.io.script.attach(), and modifying the URL before the script tag gets attached.