Limited-access API?

crazyskeggy's Avatar

crazyskeggy

25 Aug, 2014 05:56 PM

We are looking to use the Tender API in a bug-reporting system in our browser extension. Unfortunately, we have discovered that we would have to embed the API key of a supporter into our code to set a custom email, which means that anyone can access it using a browser's "view source" or "inspect element" links, and can therefore post, close and delete discussions willy-nilly.

As a regular user only has access to post as themselves (we want to be able to reply to these bug reports) we can't customise the email it's sent to if we were to use a non-supporter API key.

What would be the best way to go about this? (As we have 10 million users just on Chrome, running via a page on our server isn't the best option)

I await your response patiently (though I may bump if requested to by those of higher rank)

  1. 1 Posted by Julien on 25 Aug, 2014 06:33 PM

    Julien's Avatar

    Hi,

    The simplest option would definitely be to proxy the requests. The HTML for the page can be in the extension itself, and you only need to have a single page that receives the form POST and makes an API call. The POST can even be handled via AJAX in the extension, so you can have a loading indicator, etc.

    While I understand that a lot of users use adblock daily, there are not necessarily a lot that submit at the same time. You don't even need to use your own servers, you could easily set a simple Sinatra app on Heroku for example. I could write a simple one in a few minutes as an example.

    One other option would be to use email, though that shifts the problem somewhere else, as you would need to embed the info of a valid SMTP in the extension.

    Looking at your constraints, I would go the Heroku route. Iv'e often used it to build simple scripts, hooks, etc for Tender on a free account. And I'd be happy to help, depending on your language requirements.

    Let me know what you think.

    Cheers.

  2. Support Staff 2 Posted by brandi on 29 Aug, 2014 11:44 PM

    brandi's Avatar

    Hello,

    Checking back to see if you had any questions to Julien's reply. Let us know if you need further assistance.

    Thanks!
    Brandi

  3. 3 Posted by crazyskeggy on 30 Aug, 2014 11:31 AM

    crazyskeggy's Avatar

    Doesn't look like it - we're working on setting up our own proxy with PHP.

    Thanks for your help, both of you!
    #resolve

  4. Julien closed this discussion on 01 Sep, 2014 01:53 PM.

Discussions are closed to public comments.
If you need help with Tender please start a new discussion.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac