• Purchasing a license grants permission to use the software and to get Tech Support. A license purchase doesn't grant customization support.

Version 3.0 API

Rodolfo

Chevereto Developer
Chevereto Staff
Joined
Oct 7, 2008
Messages
15,522
Points
237
Location
Chevereto HQ
Website
rodolfoberrios.com
So unless you create a new API we are screwed. Are the blocked requests only remote ones, or it include local ones (like made with a local php script).
The system nows ask for auth_token which compares to the current session and the tokens must match or else the request is denied. This has been done in such way to avoid any kind of malicious attacks that could cause unattended actions like delete images, albums, etc. So if you don't provide a valid request token you won't do anything.

I will like to add that the complains against the API seems that have lost the nature of what API means: Application programmable interface. Is not something that non-developers should play with and I removed the default one because it didn't have any security or request logging to avoid things like massive abuse of the system and other bad practices.

So the deal here is that the old API was used pretty much just to upload pictures. Well, if you notice the route.json.php file from 3.X upload anything is pretty easy:
Code:
http://demo.chevereto.com/json/?action=upload&type=<url|file>&source=<source>
Along with several other kinds of actions for everything what you can imagine.

Making a custom API for V3 is just copy route.json.php in routes/overrides as route.myapi.php and then remove this:
PHP:
       // CSRF protection
        if(!$handler::checkAuthToken($_REQUEST['auth_token'])) {
            throw new Exception(_s('Request denied'), 400);
        }
Not recommended but still.
 

Baraka

Founder license
License owner
Joined
Jun 14, 2011
Messages
27
Points
58
Location
Chicago
Website
barakadesigns.com
The system nows ask for auth_token which compares to the current session and the tokens must match or else the request is denied. This has been done in such way to avoid any kind of malicious attacks that could cause unattended actions like delete images, albums, etc. So if you don't provide a valid request token you won't do anything.

I will like to add that the complains against the API seems that have lost the nature of what API means: Application programmable interface. Is not something that non-developers should play with and I removed the default one because it didn't have any security or request logging to avoid things like massive abuse of the system and other bad practices.

So the deal here is that the old API was used pretty much just to upload pictures. Well, if you notice the route.json.php file from 3.X upload anything is pretty easy:
Code:
http://demo.chevereto.com/json/?action=upload&type=<url|file>&source=<source>
Along with several other kinds of actions for everything what you can imagine.

Making a custom API for V3 is just copy route.json.php in routes/overrides as route.myapi.php and then remove this:
PHP:
       // CSRF protection
        if(!$handler::checkAuthToken($_REQUEST['auth_token'])) {
            throw new Exception(_s('Request denied'), 400);
        }
Not recommended but still.
Very awesome, tested it out and works perfectly, Rodolfo great addition.
 

bubbl3

Founder license
License owner
Joined
Feb 2, 2012
Messages
20
Points
58
After some trials I did manage to make the extension work, but after upload i just get the code from the json function, any suggestion on how to redirect people to the uploaded image?
 

Baraka

Founder license
License owner
Joined
Jun 14, 2011
Messages
27
Points
58
Location
Chicago
Website
barakadesigns.com
After some trials I did manage to make the extension work, but after upload i just get the code from the json function, any suggestion on how to redirect people to the uploaded image?
Great to hear! Well there are a few ways you can do this, to make it easier in the sense you can use jQuery and parse out the data on success and you can therefore you can use the parsed object (in this case url) to create your new tab as a redirection
 

bubbl3

Founder license
License owner
Joined
Feb 2, 2012
Messages
20
Points
58
Great to hear! Well there are a few ways you can do this, to make it easier in the sense you can use jQuery and parse out the data on success and you can therefore you can use the parsed object (in this case url) to create your new tab as a redirection
Thanks, I did read about it, but it's way out of my league. As you probably have already done it for your extension, could you share some code about this? Would be much appreciated and I'm sure will help several people like me.