Developer discussion for API 20191022

MStrecke
Posts: 3
Joined: Sat May 29, 2021 12:40 am

Re: Developer discussion for API 20191022

Post by MStrecke »

The new API protects image downloads with a token.

Using a token is - in my opinion - not a good idea because the resulting link will only be valid for the lifetime of that token.

However the device generating the EPG (i.e. running the grabber and retrieving the token) is usually not the same device that imports (and displays) the xmltv information. The static link in that imported file will become stale within days... much faster than the lifetime of the schedule.

Alternatives could be the use of name and hashed password in that link, or a special long-lived token for images.

For me this is currently a hypothetical problem, as my device (EyeTV) does not show any pictures, but other devices do (e.g. MythTV, as I have been told).

Mike
rkulagow
SD Staff
Posts: 940
Joined: Tue Aug 14, 2007 3:15 pm

Re: Developer discussion for API 20191022

Post by rkulagow »

I've temporarily shutdown 20191022 while finishing some changes to API20141201. I will be updating 20191022 during the summer, when I have additional time.
rmeden
SD Board Member
Posts: 1608
Joined: Tue Aug 14, 2007 2:31 pm
Location: Cedar Hill, TX
Contact:

Re: Developer discussion for API 20191022

Post by rmeden »

MStrecke wrote:
Thu Jun 03, 2021 6:13 am
Alternatives could be the use of name and hashed password in that link, or a special long-lived token for images.
We certainly don't want to use a username/password hash.. that could be bad.

One problem we're fighting right now is lots of Amazon data charges due to member(s) sharing image links with *lots* of people. (everyone isn't honest). Any long-term token would have the same problem we have now with folks sharing links.

We're leaning towards only allowing image downloads from IPs that have recently signed in. That could break folks with VPNs, but many of those folks are probably stealing video content (and our guide data!). All of the pirate feeds suggest people use VPNs.
gtb
Posts: 113
Joined: Thu Oct 02, 2014 2:07 pm

Re: Developer discussion for API 20191022

Post by gtb »

rmeden wrote:
Wed Jun 09, 2021 4:18 pm
[One problem we're fighting right now is lots of Amazon data charges due to member(s) sharing image links with *lots* of people. (everyone isn't honest).
People are not being honest? Say it ain't so, Robert, say it ain't so.......
Any long-term token would have the same problem we have now with folks sharing links.
As I recall, AWS can be asked to provide a unique time limited authentication token (I am probably mis-remembering the name, but temporary security credentials rings a bell), that could be returned in the provided image URLs themselves, or with it being returned at every new authentication (if it was in the image URL itself that would invalidate the unchanged data caching) that the app would need to append to the actual S3 request and could be validated by AWS, so the use would (at least) be time limited. It might not cut down on the sharing, but it should be able to provide a record of which tokens were being used in interesting ways if you turn up the access logging.

FD: I have never used temporary security credentials in this way, so I would likely walk into an AWS Loft (when they reopen) and ask one of the experts at the desk to make sure I understand the details and implications.

In any case, we understand the problem you are trying to solve, but hope that whatever solution decided upon will not unduly impact existing apps (while downloading all the channel icons to a local file cache every session might be achievable, downloading all the possible metadata images to have them available in a local file cache would mean downloading many many gigabytes every sessions because you don't know which will be wanted later).

Thanks for the updates.
Post Reply