Forums : Ohloh API Discussion
Dear Open Hub Users,
We’re excited to announce that we will be moving the Open Hub Forum to
https://community.synopsys.com/s/black-duck-open-hub.
Beginning immediately, users can head over,
register,
get technical help and discuss issue pertinent to the Open Hub. Registered users can also subscribe to Open Hub announcements here.
On May 1, 2020, we will be freezing https://www.openhub.net/forums and users will not be able to create new discussions. If you have any questions and concerns, please email us at
[email protected]
API key and opensource product?
Hello!
I'm thinking about adding Ohloh-integration to one well-known OSS-project.
After reading documentation, it's still not clear for me - if I receive API key, can I publish it? Its obvious, that after publishing of API key I cannnot guarantee that someone won't use it in its own application.
Hi Peter,
Yes, it's true, as the design currently stands, if you publish your API key then anyone can use it. Using only the API key, another user can only get read-only access to public Ohloh data.
In order to access private account data or to write data to Ohloh, you must use OAuth, which requires both a (public) API key and a private OAuth secret. You should never share your OAuth secret. This will prevent other users from using your API key to access private data or write changes to Ohloh.
Facts
I think that the question were more about the 1000 requests per day limit and the access to public read-only XML without the use of the Api key (which, I think, is unfortunately impossible). Because, in a case of one of us were (Peter and I are...) developing open source or just public use free-software with a key in it, we have to resolve two problems in the app' conception:
- The 1000 requests limit would be quickly reached, 'cause even if we cache XML to reuse it on common requests (which could cause problems with data synchronization, to keep the XML up-to-date), any click of any user on any website/blog on which our plug-in/widget is present on will count, and until our work is not wide used, (where L < 1000 in L = (averageUsersInWebsitesUsingOurPlugIn * numberOfWebsitesUsingOurPlugIn * averageClicksByAnyOfTheseWebsitesUsers); and as example, seven websites with low traffic on them (<15 users), each of them having an average of between nine and ten clicks per user (which is very low) represent form 945 to 1050 XML access, depending on the
click stats
of average users. The only one (not satisfying, see below) solution I found was to not provide any key with the software, and to ask any user who want to use it to open an ohloh account, and register a dummy project, in order to obtain their own key. And even with it, the 1000 limit's still here, and could, on famous sites, cause problems described above. - Any third person could
Steal
our key, because we are sharing the source code, and even by obfuscating the code, the key will still be accessible (via wireshark, as example). Once again, the only one solution is to ask users to open dummy accounts to have their keys.
Current solutions
Now, considering that any person who want to share any data on their site from ohloh probably have an ohloh account (else, why, and what to share?) it's not a such problem to ask users to set their own key (even if it will create lot of dummy projects
in ohloh) in our plug-in, but the 1000 requests limit will be still there. And the steal key
problem too.
So, the final solution is, to me, to not ask any key for XML access. Or we'll have to parse your website HTML instead, which is not restricted.
Ideal solution
Disable the 1000 requests per day limit, maybe under certain conditions, if you are afraid of compulsive||unwanted use of api keys; and to allow a key for personal use in any account (once again, under restrictions, if you're afraid of abuses).
Hi bln,
We are happy to lift the API key limit if required, and have done so in the past. We do encourage people to use caching when possible, but if you develop a popular application we're more than happy to help out. Part of the reason for the limit is so that people will contact us first before surprising
us with millions of hits.
It's true that you can't put your application's secret into the source code if you are distributing it. OAuth wasn't really intended for distributed code -- it was designed for use with web services, which allows secret data to exist where it is inaccessible to the end user.
So if you're distributing your code, your secret won't stay secret, and you shouldn't use OAuth. If your users are savvy and patient, it's probably OK to go ahead and instruct users to get an API key from Ohloh and configure the application to use their own key and secret.
It's also possible to simply log a user in, if they are willing to give you their username and password. We haven't formalized this in the documentation, but it is possible to post the login form and get a session cookie. Let me know if you need some specific help here; we haven't discussed this much internally, and we might have some things to sort out first.
Thanks,
Robin