Sparkle

How to customize HTTP request?

Asked by abb

Hello,

First of all, I know about the delegate method, allowing to add some custom parameter into the request. But it looks like this is not what I'd like to have. I'd like to send some additional custom parameter, which is generated automatically. User should not see this parameter and none of extra dialogs should appear. Can you suggest a solution for that?

Also it's not clear for me, what are arrays in the delegate method. How many parameters they can contain? I've understood it from your description, that only one parameter is allowed. How to send more parameters?

Thanks in advance.

-Alex

Question information

Language:
English Edit question
Status:
Answered
For:
Sparkle Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Andy Matuschak (andymatuschak) said : 		#1

Sparkle does not allow you to send information without letting the user see it. You would have to create a custom build of Sparkle to do that.

The delegate method's format is a list of dictionaries, where each dictionary is a parameter. The parameter's dictionary is specified by four keys: key, value, displayKey, and displayValue, where the latter two are "human-readable" versions of the former two.

Revision history for this message
abb (openworld) said : 		#2

OK, I'll try to open my cards. Really I'd like to have an authorization like "Reg Code" + "Hardware ID". I can't use server-side authorization, because PHP Authentication doesn't work there. Only authentication by .htaccess can be applied. But (AFAIK) .htaccess uses a fixed authentication data. I'd like to use personal authorization.

My idea is the next. Sparkle shows the input field for reg code with the information (if any) earlier saved into the application preferencies. But as for Hardware ID string, user must have no ability to change it or even to see it. At least he/she may not change this line. So, at least this field should be readonly text field.

I can give the code for Hardware ID calculation, though I'd prefer to provide it, as a framework. Please let me know if you can upgrade your module, sending system information, by this feature. I.e a special extra parameter like hwid=XXXXXXXX-XXXX will be added to parameter set, which is sent at present, if software author used HardwareID framework. Though I dont know how to detect framework presence/absence. Probably you need to add a special delegate method for that. You could restrict Hardware ID information by the format, shown above to protect users from some underground information withdrawing. Hope you agree that the line, pointed above, where last four X's are CRC16 from the previous eight, can't contain any secure information like password.

What you'll say?

Revision history for this message
Andy Matuschak (andymatuschak) said : 		#3

I'm afraid I still don't understand what this is for. Are you trying to add server-side protection to your updates such that only registered users have access?

I don't think that's a very good idea. In trying to stop piracy, there's two tactics: you can try to stop people from *getting* your app, or you can try to stop people from being able to *use* your app unless they're authorized. The former is what everyone used to do, but with the advent of the internet, it became incredibly ineffective, and everyone seems to have moved to the latter. I suggest that you'd have better security with less work if you did the same.

If you're trying to get a unique ID for each user so you can cross-reference statistics, see https://bugs.launchpad.net/sparkle/+bug/251021 and the relevant (though outdated) branch: https://code.edge.launchpad.net/~tcurdt/sparkle/devel.

In either case, I don't see why you couldn't accomplish what you describe in your comment using the delegate method. Why do you care if the user sees this ID, if it doesn't contain any sensitive information?

Can you help with this problem?

Provide an answer of your own, or ask abb for more information if necessary.

To post a message you must log in.