PART III
Chapter 10: Web Services and Beyond 491
As we show here:var url = "http://ajaxref.com/flickprox";
var flickrMethod = "flickr.photos.search";
var flickrAPIKey = "XXXX-GET-YOUR-OWN-KEY-XXXX";
var payload="?method="+flickrMethod+"&api_key"+flickrAPIKey+
"&safe_search=1&per_page=10&content_type=1&";
url+= "text=" + searchterm;var options = {method:"GET",
payload:payload,
onSuccess: handleResponse,
statusIndicator : { progress : {type: "text", text:
"Searching...", target: "results" }}};
AjaxTCR.comm.sendRequest(url, options);and it passes it along to the Flickr site and returns our response packet back to us.
It should be obvious that this approach leaves the URL redirection proxy open to being
abused, but only for that specific site, which is not as bad as leaving it wide open for
anything. We also note that the use of the proxy is not limited to just our API key, which will
also be exposed in the JavaScript and is likely not appropriate to disclose. A better solution
would be to create a rewrite rule on the server to hide some of these details in the rewrite
and then pass on the request in the proxy fashion. Here is a snippet from an apache.config
file that would do this for our example:RewriteRule ^/flickrprox http://api.flickr.com/services/rest/?method=
flickr.photos.search&api_key=xxx-YOUR-API-KEY-HERE-xxx&safe_search=
1&per_page=10&content_type=1 [QSA,P]ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /flickrprox http://api.flickr.com/services/restWith this rule in place we do not have to expose as many details in the source as seen
here. You could, of course, rewrite this only to add in the API key in the server-rule, but we
show the example with many variables so you can see that it is possible to perform quite
complex rewrites if you like.NNOT EOTE URL rewriting and proxying on a Web server can involve some seriously arcane Web
knowledge. We have only skimmed the surface of this topic to show you the possibility of using
the approach. If this approach seems appealing to you, spend some time getting to know mod_
rewrite or your server’s equivalent before approaching the kind of example we presented. It
will save you significant frustration.A working version of the URL rewrite-proxy approach can be found at http://ajaxref
.com/ch10/urlrewriteproxyflickr.html and is shown in action in Figure 10-2. Notice in the
figure that the network trace clearly shows you do not have a chance on the client side to
see the URL rewriting with the API key in it, and thus the secret is protected.