Disqus - Latest Comments for nageshs

Re: Keeping secrets safe with YQL Storage

Nagesh Susarla — Wed, 06 Oct 2010 02:16:30 -0000

Hi Tim,

That's indeed a very good question. Query aliases are only shortcuts. Besides that they do not prevent the user from seeing the actual URLs that you used in your query. The user of the alias can add a '&diagnostics=true' and see the entire URL that was used to make the call to the webservice.

Let me take the following example:

If I declared a query alias, such as http://query.yahooapis.com/v1/public/yql/nagesh/test2?foo=topstories which takes in a query parameter named 'foo' and the rest of the URL is hardcoded in my alias, I can simply append &diagnostics=true to see the following which gives away the URL that I used in this case.

<url execution-time="10" >http://rss.news.yahoo.com/r...

Using stored secrets going one step ahead by obsuring all URLs that appear in the diagnostics to look something like http://domain... thus ensuring that any secret gives are not divulged to the user.

Re: Keeping secrets safe with YQL Storage

Nagesh Susarla — Tue, 05 Oct 2010 14:35:15 -0000

Hi Tim,

One way to accomplish this is by using the uritemplate table which lets you create arbitrary URLs from templates like the one you mention.

example:

select url from uritemplate where template='http://bungie.net/videos/{BungieAPIKey}/{user}/{page}' and BungieAPIKey='key' and user='foo' and page='bar'

Once you have the URL you can use the JSON table to curl the URL

select * from json where url in (select url from uritemplate where template='http://bungie.net/videos/{BungieAPIKey}/{user}/{page}' and BungieAPIKey='key' and user='foo' and page='bar')

Now once you have this working, lets look at what needs to be done to make the API key a secret. To do that you could have to create a store table entry which contains the following

"SET BungieAPIKey='secret' on uritemplate;"

Insert this into the yql.storage as described in the docs or the link and use the execute key that is returned to run your query.

http://developer.yahoo.com/...

The query doesn't need the api key anymore so you can run

select * from json where url in (select url from uritemplate where template='http://bungie.net/videos/{BungieAPIKey}/{user}/{page}' and user='foo' and page='bar')

Re: Maven artifacts need to be more discoverable

Nagesh Susarla — Sun, 16 May 2010 23:31:25 -0000

I love this idea! It certainly solves the resolution problem implicitly when you point to a URL.

Re: Sometimes 140 characters isn't enough - Twnote

Nagesh Susarla — Fri, 05 Mar 2010 01:01:58 -0000

trying out choip.me

Re: Happy Birthday Retweet Rank!

Nagesh Susarla — Wed, 13 Jan 2010 19:37:09 -0000

Congrats Saurabh!

Re: OAuth-ify this: 2 Legged OAuth service for YQL

Nagesh Susarla — Mon, 23 Mar 2009 16:39:01 -0000

Hi Miki,

You can use the oauth code up at http://oauth.googlecode.com... to perform the 3 legged OAuth.
For Yahoo services we do intend to publish a java SDK which is customized to perform 3 legged OAuth and mirror the features in our PHP SFK. Stay tuned for that. Let me know if that answers your question.

Re: YQL Social Queries (FAQ)

Nagesh Susarla — Fri, 20 Mar 2009 19:23:26 -0000

Without Authorization (OAuth) it is not possible to access the social.profile table and hence the guid.