We were thinking of implementing this as an optional image editor for our web based gallery/photo manager, Ansel (http://www.horde.org/ansel). I have a concern about security though. Would you consider implementing a shared-secret/signing mechanism? Unless I'm missing something, right now, it would be theoretically possible for a malicious attacker to send a post to our post back URL and replace the user's image with any arbitrary image. Having Aviary sign the post with perhaps an md5 of all the parameters plus a shared secret would go a long way in avoiding these things. Similarly, it might be a good idea to require the client to sign it's requests in the same manner.

Thoughts?

mrubinsk said: We were thinking of implementing this as an optional image editor for our web based gallery/photo manager, Ansel (http://www.horde.org/ansel). I have a concern about security though. Would you consider implementing a shared-secret/signing mechanism? Unless I'm missing something, right now, it would be theoretically possible for a malicious attacker to send a post to our post back URL and replace the user's image with any arbitrary image. Having Aviary sign the post with perhaps an md5 of all the parameters plus a shared secret would go a long way in avoiding these things. Similarly, it might be a good idea to require the client to sign it's requests in the same manner.

Thoughts?

Our Advanced API (coming soon) will have signed requests. This simple API is meant to make things as easy as possible.

Great. Thanks for the info. I will be looking forward to working with the Advanced API...

You could fake this now by including the md5 in your postback URL.

Eg, take some data which is private to you (say the username, your API key) and append either the IP address that Aviary appears to post from or maybe the subnet, so something like:

eg: echo "username,apikey,65.98.13.108" | md5 returns "92068d39db1a518dc0a7402340f25591". Stripping off the last octet ("username,apikey,65.98.13.") results in "e8891e753984d367965f2fd8cf211794".

Then append this to your posturl, eg, http://example.com/postback?key=e8891e753984d36796... .

Now when you get the postback, recompute the hash, substituting the IP address you receive the POSTback from. Even if someone's copied the postback URL and is manually POSTing to your interface, their IP address isn't going to be the Aviary IP address without some significant work.

Far more simpler I guess would be just to check the IP address the postback comes from, ignoring the md5 hashing altogether. This is susceptible to Aviary changing IP addresses for their server(s).

Very clever epc!

Im running into a similar problem as EPSNOWDEN did. I want to have a .egg file automatically load into Aviary. So Right now Im using:
loadurl=363525e-8ca5-102c-b565-0030488e168c and this is not working.

The full link is: http://aviary.com/flash/aviary/index.aspx?tid=1&ph...

Thank you.

dev_atl said: Im running into a similar problem as EPSNOWDEN did. I want to have a .egg file automatically load into Aviary. So Right now Im using:
loadurl=363525e-8ca5-102c-b565-0030488e168c and this is not working.

The full link is: http://aviary.com/flash/aviary/index.aspx?tid=1&ph...

Thank you.

It looks like you mis-typed the fileguid and left out a character in the first grouping. It should be 3635258e-8ca5-102c-b565-0030488e168c making the full link:
http://aviary.com/flash/aviary/index.aspx?tid=1&ph...

Don't forget your posturl!

saving question: is there anyway we can add fields to the form that gets posted to our server? We want to add a place for the user to put their name, email, and birthday.

Thanks.

Not as part of the simple API as adding elements in that manner would change the size of the save window and possibly mess up the layout.

Could you describe a little more how you'd intend the work flow to appear?

dev_atl said: saving question: is there anyway we can add fields to the form that gets posted to our server? We want to add a place for the user to put their name, email, and birthday.

Thanks.

if you collect the info on your site and just need to pass it through in the save post, you can append them to the queeystring of the posturl. We don't collect personal info in our save form.

Hi,

The Simple API is a great idea, but I'm concerned about your frame breaking script. In my case, I would like to include the Aviary suite as the default image manipulation suite in amoebaOS - the problem is, the apps themselves would be loaded in an iframe, surrounded the the OS' window chrome. The frame breaking script makes this very clunky and not usable, because it tries to replace the OS window. Would you consider removing the script, or allowing specific developer keys access to the apps within frames? I would love to include Phoenix and Raven in the OS so people can edit images and vector graphics, but because of this I would have to use another suite.

Thanks, your products are awesome.
- Jason

developit said: Hi,

The Simple API is a great idea, but I'm concerned about your frame breaking script. In my case, I would like to include the Aviary suite as the default image manipulation suite in amoebaOS - the problem is, the apps themselves would be loaded in an iframe, surrounded the the OS' window chrome. The frame breaking script makes this very clunky and not usable, because it tries to replace the OS window. Would you consider removing the script, or allowing specific developer keys access to the apps within frames? I would love to include Phoenix and Raven in the OS so people can edit images and vector graphics, but because of this I would have to use another suite.

Thanks, your products are awesome.
- Jason

thanks for the feedback Jason! We're going to push a version next week that removes the frame busting script.

Awesome! I've already set up all of the application wrappers with icons and splash screens. Do you have any policies regarding how best to represent the product? I would like to have the apps branded as Aviary so people know what editor they are using - like putting Phoenix in /Applications/Aviary/Phoenix/Phoenix.app - would that be best?

Thanks.

Yes, that sounds great!

Edit: Can I have a beta invite to try it out? I'd love to see amoebaOS action (avi@aviary.com).

I will work on getting you a beta account - we're still in a closed mode, because although the OS itself is stable, the filesystem has not been tested for the kind of scalability that we need it to be capable of. I will make sure you are informed when the testing is complete, and then I'll get you a beta key. Sorry for the wait... it's been a long road!