hoodwink.d enhanced
RSS
2.0
XHTML
1.0

RedHanded

Backpack Accepts YAML Payload #

by why in inspect

The Backpack Weblog just posted a complete Backpack API for Ruby [mirror] which is terrifically straightforward. The meat of the code is the first twenty lines, which handles serialization to YAML, posting to the server and deserialization from XML. Ha! YAML AND XML! (Who signed the peace accord without me?!)

I’m curious about this X-POST_DATA_FORMAT header that’s being sent. What about Content-Type: application/yaml? It’s also interesting that YAML isn’t readily documented as a payload on the API page. I hope I can rectify this situation once my Python and Perl assistants pass their dumping Syck extensions back up to me.

All actions are done through POST, presumably to allow authentication for each. I’d really like to hear from David or Jamis why they didn’t use authentication headers. And, you know, how this all came together.

Note: You’ll probably want to use my corrected mirrored version above. The pasted script forms urls like username.honey.i, which is an awesome domain, but too awesome methinks.

Update #2: A new API script uses SSL.
said on 17 May 2005 at 15:01

_why, as usual, you raise some great points. I’ll talk with David about your suggestions, unless he beats me to the punch and posts here before then. :)

said on 17 May 2005 at 16:12

I’ve updated the link to point to http://rafb.net/paste/results/DnsaHX10.html, which now points to the actual service—not my local alias for the development version ;)

What would the content-type be for query string, which is also allowed? I do kinda like just to reuse an existing header for this.

Regarding authentication headers, are you thinking something like X-WSSE? In any case, the methods that only GET stuff can actually also just be retrieved like that. Only methods that change stuff requires to be POST . In the Ruby wrapper, it’s just all POST because I didn’t bother to make the distinction. With all this items/create and items/destroy stuff, we can’t really claim to be RES Tifarian anyway, so :)

said on 17 May 2005 at 16:34

You can’t use application/yaml, because it’s not listed with the IANA

application/x-yaml is okay. Though personally I don’t know what’s so wrong with text/x-yaml—I think everyone thinks application/ is the new cool media type, because nothing but machines is clever enough to understand their special code, unlike text/html which is so readable. YAML is so wanting to be text/x-yaml, why deny it this glorious, if slightly retro, media type?

said on 17 May 2005 at 16:49

I like text/x-yaml. YAML is more humanly readable than XML and XML gets to play in text/xml.

said on 17 May 2005 at 17:40

Yay, that’s right. text/x-yaml. This was discussed on Yaml-Core awhile ago and that was exactly the one. Ian’s on it.

David: Okay, good clear-ups. Yeah, I’m just wondering why you went with authentication in the payload rather than something like X-WSSE or digest or something. So when you say, ”In any case, the methods that only GET stuff can actually also just be retrieved like that.” how do you authenticate on a GET ?

said on 17 May 2005 at 17:54

Just pass in the token as part of the query string. ?token=123. And yeah, we could do header-based auths too. I’m not really decided that heavily on pro/con. I do like the WSSE setup and getting better security without SSL .

Comments are closed for this entry.