While contentType may be an empty string (for requests that bear no body), date is mandatory and must have a value.Įven when contentType is empty, its trailing line break MUST be included. The parameter requestLine is simply the concatenation of the method, URI and HTTP version (with spaces):ĬontentType and date parameters are the Content-Type and Date headers included in the request. The stringToSign parameter is a concatenation of some of the contents of the request. Signature = HMAC_SHA1 (ApplicationPrivateKey:MD5 (UserPassword ), stringToSign )Īuthorization: droplr BASE64 (ApplicationPublicKey:UserEmail ):signature # Example stringToSign parameter with no contentType
#USE HTML TO DISPLAY DROPLR IMAGE ON WEBSITE PASSWORD#
We strongly recommend you to always store the hash of the password as your users enter their credentials, discarding the clear password as soon as possible.
The hashing function for the password is SHA-1. HMAC_SHA1(ApplicationPrivateKey:UserPasswordSHA1, stringToSign)ĪpplicationPrivateKey and UserPasswordSHA1 are your application’s assigned secret key and the user’s (hashed) password. The formula to compute the signature parameter is: Where ApplicationPublicKey and UserEmail are your application’s assigned public key and the user’s email. Starting from the end, an example of how an Authorization header should look is:Īuthorization: droplr YXBwXzBfcHVibGlja2V5OnVzZXJfMUBkcm9wbHIuY29t:3+MqSMFYYwh6grneUezBtRkunmE=Īuthorization: droplr BASE64(ApplicationPublicKey:UserEmail):signature Authentication Formula # Example Authorization headerĪuthorization: droplr YXBwXzBfcHVibGlja2V5OnVzZXJfMUBkcm9wbHIuY29t:3+MqSMFYYwh6grneUezBtRkunmE = When set, this header will take precedence over the Date header.ĭroplr API server provides many operations the ability to execute them depends on the privileges configured for the public/private API key pair assigned to an application.Īs an example, a typical third party application will be able to list drops, perform uploads, delete drops and alter user information but it won’t be able to create new accounts. If the framework you’re using doesn’t allow you to manually set the Date header, you can use the custom x-droplr-date header. Furthermore, the server keeps used signatures in a local cache – during the time window in which they are valid – in order to avoid replay attacks.
If this condition fails, the requests may be discarded. This value must fall within 15 minutes (ahead or behind) the server’s clock. Protection Against Replay AttacksĪll requests must include a Date header, with the time in Unix (POSIX) format – the milliseconds elapsed since midnight January 1st, 1970, UTC. In order for you to access the API you must have a public/private key combination to access Droplr’s API server.Īuthentication works on a per-request basis, which means that every single request must be pre-signed according to its contents.ĭroplr API server uses a custom authentication method along with some other mechanisms to ensure a safe non-reversible authentication method which is also immunte to replay attacks. Public Operations Authentication & AuthorizationĪll API operations must be properly authenticated.
0 kommentar(er)
