0

Using the imageshack API I can upload images to imageshack but I have to use an API key to do that. I can create a POST form for the image upload to imageshack but the key has to be put in the form and that exposes the API key publicly. How can I upload images to imageshack without exposing my API key?

dknight
  • 1,243
  • 10
  • 23
  • You can ask the user to log in before send a request. On log in success, you generate a token (store it in database) and you send it with the request. On server side, if the token exists you process the request, if not, you send a json saying { :error => "Invalid token" } – Sebastien Jun 05 '12 at 08:10
  • I am uploading to imageshack and not to my server. That is where the trouble is. If I were uploading to my server, I could have followed your technique. – dknight Jun 05 '12 at 09:38

1 Answers1

1

I think the only way to do this properly is that the image is first POSTed to your OWN application by the user.

Then in your app you internally redirect this POST to ImageShack, where you can use your API key safely without anyone ever seeing it.

You can use something easy like RestClient to run the POST request from your back-end. You will need to store the image temporarily on your server, either in memory or on disk, for retransmission to ImageShack.

So:

  1. User sends image with POST to your server
  2. Your server receives the image in the POST request from the user
  3. Your server runs a POST with this image to ImageShack using your API key
  4. The POST request from step 1 returns successfully to the user
Casper
  • 33,403
  • 4
  • 84
  • 79
  • Yeah, I understand that by doing it in a 2 step way, I can do it easily; but I wanted a 1 step way of doing it. Before, I implement a 2 step way, I just wanted to make sure there is no 1 step way of doing it at all. – dknight Jun 05 '12 at 10:03
  • Ok I see. No I don't think the ImageShack API was ever even intended to be used in a 1-step process. You will have the user's browser ending up on the ImageShack server on a weird API 'page' that was only ever intended to be used as an API by back-ends. Something like PayPal for example uses encrypted POST parameters to kind of implement something like a 1-step process, but IS does not seem to provide a similar interface. – Casper Jun 05 '12 at 10:21