Nagesh Susarla's Blog - Latest Comments in Keeping secrets safe with YQL Storage

Re: Keeping secrets safe with YQL Storage

Linda Lovelace — Fri, 01 May 2015 13:17:14 -0000

The reason this is a top ten niagara tours from new york safe travel tip is obvious. The kids are our number one concern when it comes to traveling.

Re: Keeping secrets safe with YQL Storage

Jane Deas — Fri, 22 Jul 2011 07:28:34 -0000

This is nice YQL tutorial. Thanks nagesh for providing such a great post.

Re: Keeping secrets safe with YQL Storage

Tim Acheson — Wed, 06 Oct 2010 07:39:48 -0000

Thanks, Nagesh! This all works beautifully. I've learned some very useful details about using YQL. I blogged my usage of YQL, in case you're interested!

Halo Reach API demo -- this would not be possible without YQL:
http://www.timacheson.com/B...

Re: Keeping secrets safe with YQL Storage

Nagesh Susarla — Wed, 06 Oct 2010 02:16:30 -0000

Hi Tim,

That's indeed a very good question. Query aliases are only shortcuts. Besides that they do not prevent the user from seeing the actual URLs that you used in your query. The user of the alias can add a '&diagnostics=true' and see the entire URL that was used to make the call to the webservice.

Let me take the following example:

If I declared a query alias, such as http://query.yahooapis.com/v1/public/yql/nagesh/test2?foo=topstories which takes in a query parameter named 'foo' and the rest of the URL is hardcoded in my alias, I can simply append &diagnostics=true to see the following which gives away the URL that I used in this case.

<url execution-time="10" >http://rss.news.yahoo.com/r...

Using stored secrets going one step ahead by obsuring all URLs that appear in the diagnostics to look something like http://domain... thus ensuring that any secret gives are not divulged to the user.

Re: Keeping secrets safe with YQL Storage

Tim Acheson — Wed, 06 Oct 2010 01:58:36 -0000

Thanks, that's fantastic!

Is it enough to hide my API within a query alias? Or is YQL Storage the only way? If the latter is the case, can you explain why? It seems to me that, when the API key is in a query alias, other people can't see it. (E.g. if I set a hard-coded API key value in a query alias, with parameters for the other values, and then use the URL for that query alias. Then, the API key is not revealed in the URL.)

Re: Keeping secrets safe with YQL Storage

Nagesh Susarla — Tue, 05 Oct 2010 14:35:15 -0000

Hi Tim,

One way to accomplish this is by using the uritemplate table which lets you create arbitrary URLs from templates like the one you mention.

example:

select url from uritemplate where template='http://bungie.net/videos/{BungieAPIKey}/{user}/{page}' and BungieAPIKey='key' and user='foo' and page='bar'

Once you have the URL you can use the JSON table to curl the URL

select * from json where url in (select url from uritemplate where template='http://bungie.net/videos/{BungieAPIKey}/{user}/{page}' and BungieAPIKey='key' and user='foo' and page='bar')

Now once you have this working, lets look at what needs to be done to make the API key a secret. To do that you could have to create a store table entry which contains the following

"SET BungieAPIKey='secret' on uritemplate;"

Insert this into the yql.storage as described in the docs or the link and use the execute key that is returned to run your query.

http://developer.yahoo.com/...

The query doesn't need the api key anymore so you can run

select * from json where url in (select url from uritemplate where template='http://bungie.net/videos/{BungieAPIKey}/{user}/{page}' and user='foo' and page='bar')

Re: Keeping secrets safe with YQL Storage

Tim Acheson — Mon, 04 Oct 2010 05:37:11 -0000

Hi Nagesh, thanks, this is a useful tutorial, but it doesn't solve the biggest problem I have with needing to hide my API keys.

I have a YQL query which returns JSON from a web service URL:

SELECT
    * 
FROM
    json 
WHERE 
    url="http://bungie.net/videos/{BungieAPIKey}/{user}/{page}"

How can I use a YQL query to return the JSON from this URL, while making my API Key secret or less obvious? Is it impossible to do?

I want to keep my API key "{BungieAPIKey}" secret, or at least make it a parameter "@BungieAPIKey" so I can hide it slightly within a query alias.

I posted this question on the YDN/YQL forum, but I rarely get much of a response on the YDN forums.

Re: Keeping secrets safe with YQL Storage

ViolaBrown — Wed, 28 Jul 2010 07:29:10 -0000

Thanks for the information. Nothing is gonna break this lock. It is Unbreakable (like in the song by Michael Jackson which can be downloaded from http://www.mp3hounddog.com )!