The Maker Channel Action doesn't support authenticated requests, at least anything beyond something you could send in the URL or body of the message. We do this to prevent people from using it to spoof requests to…
Not exactly sure what you mean by long-polling in this context. Do you mean a client making calls to the API at regular timed intervals to check the status? Or do you mean the server making calls to an endpoint URI when…
Hey azdle, thanks for the question and being honest. Do you mind me asking who you work for? Just curious more than anything. To answer your questions about the alert code, yes it runs in a sandbox, but we also parse it…
Yeah it's something that is browser dependent. I wouldn't call it a bug, but it is an annoyance. It's a decision we had to make in order to keep Freeboards secure for customers who don't want their data to be seen. But…
Our core focus is read-only at the moment, but yes, command and control has been very much on our mind for a while and I think is going to be a next logical step. Technically you could implement C&C with a plugin right…
Yeah it's 100% client side.
Check the repository again. I just updated the Readme.md to add some more docs on loading and creating plugins. Let me know if this helps. Thanks!
donatj, I would expect that both of those would work, but I can check into adding this as a feature. A lot of times this is actually an issue with CORS. The API would need to add a CORS header for freeboard.io. Or if…
Will do mate.
Hah! Never thought about it, but you are so right. HTTP is actually an M2M protocol at heart and is by far the most prevalent on the planet...
Right now there is nothing to protect because the API is inherently open (on purpose to make it easy). But next week we will be introducing a security token mechanism to be able to "lock" machines. In this case HTTPS…
Thanks for the feedback! To be clear, the node.js library is just a client-side library, so it should only be technically running on a single machine in most cases. Also, we only use socket.io for real-time pubsub, but…
So let's not a call it a security issue then. Let's call it an "it's too easy to delete" issue. And if that's the case, then that's what we're going for— easy. Remember, if you were truly protecting something that was…
Yes and if I were a hacker, I could do the same thing with curl. Either way the only person who's likely to do it is someone who is technically savvy.
Seriously? Look at the HTTP protocol and tell me you really believe that. Their way: DELETE /something HTTP/1.1 My way: GET /delete/something HTTP/1.1 Do you really think one is more secure than the other?
Yes this is by design to make it easy. Being able to lock things to make them private is an upcoming feature. No promises, but probably will be available this coming week.
Yeah that's pretty much it. We're not claiming anything earth shattering or new here— just something that is dead simple, and works.
Correct. Damned be the HTTP specs and REST because they are such a pain in the ass :) I built HAPI precisely because the current standards only work in a world where everyone knows how and enjoys using curl. I think you…
Agreed, in the code-readability sense it's a little on the strange side, but I wouldn't call it completely nonsense either. My thinking behind the design was that developers are a lot easier to deal with than…
It might seem like it, but it's actually not that different from a lot of REST APIs I know of. Most REST APIs return a status (in our case "this":"succeeded"), and some sort of wrapper for the actual data (in our case…
Private machines are coming soon...
Basically any device or thing that has an internet connection can publish information about itself so that it can be consumed externally. For example if you had a BeagleBone microprocessor monitoring temperatures and…
You bet, that would also be part of the paid plan.
No promises yet, but we plan on offering paid plans that could offer SLAs on latency. Although I will say we architected it from the get-go to be high throughput and low latency— it's all using redis in-memory on the…
The idea is to keep the basic platform free, but to charge to make devices private (ie writeable and readable with key authentication). Similar to the github model...
The Maker Channel Action doesn't support authenticated requests, at least anything beyond something you could send in the URL or body of the message. We do this to prevent people from using it to spoof requests to…
Not exactly sure what you mean by long-polling in this context. Do you mean a client making calls to the API at regular timed intervals to check the status? Or do you mean the server making calls to an endpoint URI when…
Hey azdle, thanks for the question and being honest. Do you mind me asking who you work for? Just curious more than anything. To answer your questions about the alert code, yes it runs in a sandbox, but we also parse it…
Yeah it's something that is browser dependent. I wouldn't call it a bug, but it is an annoyance. It's a decision we had to make in order to keep Freeboards secure for customers who don't want their data to be seen. But…
Our core focus is read-only at the moment, but yes, command and control has been very much on our mind for a while and I think is going to be a next logical step. Technically you could implement C&C with a plugin right…
Yeah it's 100% client side.
Check the repository again. I just updated the Readme.md to add some more docs on loading and creating plugins. Let me know if this helps. Thanks!
donatj, I would expect that both of those would work, but I can check into adding this as a feature. A lot of times this is actually an issue with CORS. The API would need to add a CORS header for freeboard.io. Or if…
Will do mate.
Hah! Never thought about it, but you are so right. HTTP is actually an M2M protocol at heart and is by far the most prevalent on the planet...
Right now there is nothing to protect because the API is inherently open (on purpose to make it easy). But next week we will be introducing a security token mechanism to be able to "lock" machines. In this case HTTPS…
Thanks for the feedback! To be clear, the node.js library is just a client-side library, so it should only be technically running on a single machine in most cases. Also, we only use socket.io for real-time pubsub, but…
So let's not a call it a security issue then. Let's call it an "it's too easy to delete" issue. And if that's the case, then that's what we're going for— easy. Remember, if you were truly protecting something that was…
Yes and if I were a hacker, I could do the same thing with curl. Either way the only person who's likely to do it is someone who is technically savvy.
Seriously? Look at the HTTP protocol and tell me you really believe that. Their way: DELETE /something HTTP/1.1 My way: GET /delete/something HTTP/1.1 Do you really think one is more secure than the other?
Yes this is by design to make it easy. Being able to lock things to make them private is an upcoming feature. No promises, but probably will be available this coming week.
Yeah that's pretty much it. We're not claiming anything earth shattering or new here— just something that is dead simple, and works.
Correct. Damned be the HTTP specs and REST because they are such a pain in the ass :) I built HAPI precisely because the current standards only work in a world where everyone knows how and enjoys using curl. I think you…
Agreed, in the code-readability sense it's a little on the strange side, but I wouldn't call it completely nonsense either. My thinking behind the design was that developers are a lot easier to deal with than…
It might seem like it, but it's actually not that different from a lot of REST APIs I know of. Most REST APIs return a status (in our case "this":"succeeded"), and some sort of wrapper for the actual data (in our case…
Private machines are coming soon...
Basically any device or thing that has an internet connection can publish information about itself so that it can be consumed externally. For example if you had a BeagleBone microprocessor monitoring temperatures and…
You bet, that would also be part of the paid plan.
No promises yet, but we plan on offering paid plans that could offer SLAs on latency. Although I will say we architected it from the get-go to be high throughput and low latency— it's all using redis in-memory on the…
The idea is to keep the basic platform free, but to charge to make devices private (ie writeable and readable with key authentication). Similar to the github model...