search

samwilson / phpflickr

A PHP wrapper for the Flickr API, including OAuth.
https://packagist.org/packages/samwilson/phpflickr
GNU General Public License v2.0
39 stars 15 forks source link

Add User Agent #59

Closed edent closed 1 year ago

edent commented 1 year ago

Flickr will soon start to require a user agent - see https://www.flickr.com/groups/api/discuss/72157721918374433/

It doesn't look like this library has one. Would be possible to set a default one, or a custom one?

smcgivern commented 1 year ago

It looks like this uses the OAuth CurlClient: https://github.com/samwilson/phpflickr/blob/a25e40ade587f51793a51571b9a3c13e129b8534/src/PhpFlickr.php#L257

That in turn looks like it will set a User-Agent header if provided: https://github.com/carlos-mg89/PHPoAuthLib/blob/b267f5dd252750b247cf93d37ae6acc9c5734d14/src/OAuth/Common/Http/Client/CurlClient.php#L109

smcgivern commented 1 year ago

Actually, that seems to have a default value: https://github.com/carlos-mg89/PHPoAuthLib/blob/b267f5dd252750b247cf93d37ae6acc9c5734d14/src/OAuth/Common/Http/Client/AbstractClient.php#L25-L33

So this should already be fine? Although it would be good to set a more specific UA, of course.

I threw in a curl_setopt($ch, CURLOPT_VERBOSE, true); into the CurlClient and confirmed that there is one:

Host: api.flickr.com
user-agent: PHPoAuthLib
accept: */*
authorization: [snip]
content-type: application/x-www-form-urlencoded
connection: close
content-length: 64
samwilson commented 1 year ago

Thanks for opening this; I'm just catching up on the forum thread. I must say I'm slightly surprised, I thought everyone was moving away from trusting User Agent strings for anything. I guess they just want some info.

I think adding PhpFlickr::setUserAgent(string $userAgent) void; would be good. And defaulting to a value of User-Agent: PhpFlickr/5.1.0. Does that sound okay?

You're right, sending PHPoAuthLib is not a great look anyway, regardless of what Flickr requires!

samwilson commented 1 year ago

I added the GitHub URL to it as well, for better identification (because there are a few different forks of PhpFlickr).

smcgivern commented 1 year ago

Thanks for creating that PR, @samwilson!

Thanks for opening this; I'm just catching up on the forum thread. I must say I'm slightly surprised, I thought everyone was moving away from trusting User Agent strings for anything. I guess they just want some info.

I was surprised too. The impression I got from this comment: https://www.flickr.com/groups/51035612836@N01/discuss/72157721918374433/72157721918386827

This original intent of this requiring a User Agent wasn't targeted for API users since we have the authentication and registration. It was intended to block malicious traffic that has been hitting our site for many years now and we have just been absorbing it. However, it's making a noticeable impact on our resources and when we block it from coming in further into our stack, so that is why we implementing this change upstream.

Is that they are using this as a very cheap mechanism to handle blocking / rate limiting at the edge, as actually looking up the API key can't be done statelessly. Although I would have thought that looking for an authentication header would have worked just as well for that purpose?

samwilson commented 1 year ago

The new setUserAgent is now released in 5.1.0.