I would like to be able to make a http request to the short url service to get a short URL. Many short URL services have a special REST API to generate shortened URLs. (e.g. bit.ly/shorten?url=http://www.example.com returns a short URL for example.com) I would love to see the same capability in the shorten module. It would effectively make any Drupal installation a functional short URL service.
If this were implemented, there might be a need for some sort of basic authentication or a customizable path for the request, so that a person can obfuscate things enough to keep passers-by from making their own URLs. (e.g. example.com/shorten/abc1234?url=http://foo.bar)
This may be more appropriately a function of the short URL module, so I am cross-posting this request there.
| Comment | File | Size | Author |
|---|---|---|---|
| #8 | shorturl_1.2_rest.patch | 2.58 KB | mauritsl |
| #5 | shorturl_rest.patch | 2.67 KB | mauritsl |
Comments
Comment #1
irakli commentedImplementing this is not a problem, at all. The key is to come up with a workflow that is both user-friendly and secure.
Bit.ly does not put much security on new URL creation (at least nothing obvious, there may be too-many-from-same-IP protection), which raises concerns about DDOS attacks?
Comment #2
iNik commentedSecurity-wise, I can think of a few ways to go about this:
No matter what, it should be configurable. I can't imagine that everyone would want to open up this sort of potential security hole on their system.
As with bit.ly's API, what seems to me the best way to handle it is to require a Drupal user's account information. (e.g. http://site.com/shorturl?u=foo&p=bar&url=...) This would continue to limit the short URL service's abilities based on user permissions, which is valuable. (And you could always give anonymous users the right to create short URLs if you want to launch a Drupal-based bit.ly -- goodness help you!)
As for DDOS, I can't say I'm an expert on this, but throttling requests from a single IP to a certain number makes good sense. Again, configurably. But I have to wonder whether that's the module's problem, given that so many other parts of Drupal are susceptible to DDoS attacks -- that's more of a firewall-level issue.
Linking it in with any of the existing anti-spam modules/services (akismet, mollom, etc...) would also be a great way to increase security. Eliminate requests from known spammers or to links to spam/phishing websites. But simply requiring authentication would go a long way to protect against most threats. I don't see this as being used to create a bit.ly clone, but rather to provide branded URL shortening for an organization or individual.
Comment #3
christefano commentedThis feature would be much appreciated. It's hard to use this module without a bookmarklet.
In my opinion, throttling requests and preventing abuse is way beyond the scope of this module. Drupal already has access rules and CAPTCHA modules and Drupal administrators can employ other techniques as well, like server-side logging and soft bans.
Comment #4
iNik commentedAny chance of this being implemented? As a non-coder, I'm afraid this is beyond my ability...
Comment #5
mauritsl commentedI wrote an implementation for my own usage. The patch attached provides a REST API method which is very similar to the shorten API method from bit.ly, documented here:
http://code.google.com/p/bitly-api/wiki/ApiDocumentation#/v3/shorten
My implementation runs on /v1/shorten and requires the arguments:
username: username of Drupal account
password: password (plaintext)
uri: long url to be shortened
format: "json", "xml" or "txt" (optional, defaults to "json")
The response codes can be:
500: Missing username/password/uri argument
500: Invalid URI
401: Invalid credentials
403: Permission denied
200: OK
In case of 200, the respones includes the "url" and "long_url" fields.
The username and password are checked against the Drupal users. The Drupal user must have the "use shorturl" permission (this permission is new, since shorturl doesn't use permissions yet).
You can only use the GET method now. Drupal clears the values in $_POST, making the implementation for POST a bit difficult.
After applying this patch (and running update.php to force menu rebuild) you may try the following examples:
/v1/shorten?username=USERNAME&password=PASSWORD&uri=http://example.com/
/v1/shorten?username=USERNAME&password=PASSWORD&uri=http://example.com/&format=xml
/v1/shorten?username=USERNAME&password=PASSWORD&uri=http://example.com/&format=txt
There is no limit on the number of calls from a single IP or user. It's not a complete and secure implementation to run as a public service. But in my case I needed this for use within another application (which has it's own user with only the "use shorturl" permission), which is just fine.
I will suggest to commit this to CVS (after reviewing of couse) this way, or maybe in a separate module, but with adding a note somewhere that this feature is not intended for public usage.
Comment #6
christefano commentedAdding a keyword to the title to make this issue easier to find.
Comment #7
mgiffordsub
Comment #8
mauritsl commentedRerolled patch for version 1.2
Comment #9
irakli commented@mauritsl,
looks great. Many thanks. I am going to try to commit this as soon as I can test. If somebody else can help with testing, that would be awesome, of course.
Comment #10
mably commentedThis issue was filed against the previous Drupal 6/7 module that used this project namespace.
The namespace has been taken over and the module has been replaced by a completely new and unrelated project for Drupal 10/11.
The original code remains available in the 6.x-1.x branch.
Closing this issue as it no longer applies to the current module.