← Back to team overview

ubuntu-phone team mailing list archive

Re: Questions regarding the App Showdown

 

On Thu, Aug 8, 2013 at 4:50 PM, Michael Spencer <spencers1993@xxxxxxxxx>wrote:

> I'm concidering allowing the app to sync with a backend web service. Is
> this something I would use Online Accounts for,


Depends on which service you're talking about, I suppose.


> and where can I find out how to use it?


That depends. Is the service already supported by UOA? If not, you'll have
to write a plugin for it. I once described how to do that here:

http://askubuntu.com/questions/279971/how-to-add-support-for-new-services-to-friends/280389#280389
(with
examples, and a lot of extra info specifically about social networks that
probably isn't relevant for you)

If UOA already has a plugin, it's not too hard to just connect to UOA and
ask for the auth token, although I'm not familiar with how this is done in
QML; I've only ever done it in python, personally.


> Also, the service in mind requires an API key by the developer. What is
> the recommended procedure for using API keys in an Ubuntu Touch app that is
> open source (GPLv3).
>

Yes, this is a tricky issue. You can never truly hide the API key in an
open source application. My understanding of the "best practises" is to do
something like this:

1. go to the web service and register two different API keys, one of them
your "development" key and one your "production" key (make sure to name the
keys clearly).
2. Take the "development" key and feel free to hard code that right into
your source tree and commit it publicly to source control. Leave it this
way as you develop and test the features of your application.
3. Set up your build system such that it allows you to override the API key
at compile time. How this is done depends on which build system you're
using; unfortunately I don't really know how to do it with qmake, but if
you're using autotools you'd add a ./configure option that takes a new API
key as an argument and then compiles it into your application binary
without saving it anywhere publicly.
4. traditionally the packaging for your application is stored in a separate
source tree (although this is becoming less and less true over time...),
and then in your debian/rules you'd add an override_dh_auto_configure line
in order to specify what API key to build into the application when the
package is being compiled.

This way if somebody just downloads your main source tree and builds it,
they end up using your "development" API key, and if they start abusing the
key it shouldn't impact your real live users. The "production" key is still
stored in a public source tree, it's just hopefully slightly more obscure /
more effort to find than the main source tree.

This is at least how it's done for the API keys used in Ubuntu Online
Accounts.

References