Saturday 16 May 2009

facebook's walled garden is still walled with open API

I'm not sure why, but recently got on Twitter again. But I don't like to keep a website always open in my browser, much more convenient to have a desktop app do the useful work for me. Personal preference, I guess... Going minimalistic, I found a reasonably nice one for the job, called Mitter.

Then I got thinking, since I spend much more time on Facebook (FB), why not have the same thing for that? An app that let me see my friends' status, comment on them, update my own, see their comments on the update, these kinds of things.... FB has its own API, so there should be so many opprotunitiesn to do just this. Well, cannot say I found many... I heard that Tweetdeck will have some integration, but that's just too big for me - don't want to install all that Adobe AIR at the moment for this (and wouldn't have that much space for that on my EeePC anyway).

So what should we do? Check out how to make one ourselves... Actually, switching out Mitter's internals and replacing it with FB calls could work - in theory. But replacing something written by another person is always more complicated than one thinks at first. That leaves "from skratch".

Next step, check out the FB API documentation. Yeah, status.set is for example the first thing I want to be able to do. How to get around to do that?

Well - nothing is as easy as it seems. Twitter lets you use any app you desire for any purpose. You can just hack together your own and distribute it, and it will be just fine....
FB, however wants to control exactly what happens, who have access, and how much. And in the process, it makes certain apps impossible.

To illustrate what I'm talking about, here's the process I figured out, how to use a simple desktop app, writen in Python, to update my status:
  1. Create a new application on FB - Developers. When done, set its type to "desktop".
  2. On your app's page, note the "API Key" and "Application Secret" (Secret Key). The API Key identifies your app, the Secret Key is needed for your app to make API calls. As much as I could figure it out, this is so that your app does not get hijacked by someone just by knowing your API Key (that is public). But the need for this Secret Key makes all the difference (more of it later)
  3. Setup the permission for this app to update your status. See Extended Permissions in the wiki. More specifically, point your browser to a special web address, and set the permissions there. After that you can remove permissions from the usual settings tab, but there at the settings there is no list of all available permissions, only those that your app specifically asked for. I guess "publish_stream" and "read_stream" should be enough most of the time.
At this point you are ready to start coding and hope for the best.

Now the things that bug me:
  • Since you have to keep your Secret Key, well, secret (by the terms of service as well, I think), one cannot really make an open source desktop app - it wouldn't be able to make any API calls without the key... In the wiki some people argued that even closed source apps are safe at all - just because you compile something it does not mean that hackers cannot rewerse engineer it... What could one do?
    Suggestions include e.g. to have a web interface for your desktop app that would handle the login and the login only. This is doubly annoying, since I didn't want to write a web app, but a desktop one, and the login authentication will be still done by FB anyway - so a lot of complexity for nothing.
    Other suggestion is that all your users have to have their own version of the app, with their own API and Secret Keys, and everything... That pretty much rules out all of the non-geeks, and say bye-bye to any branding or community dreams...
  • The login is always handled by FB. No way around it. Have to have a browser, your app has to go to a special address and get some info back from FB (a "session key") to be able to operate...
Well, so far this much, since I didn't get much into things yet. But these are already enough to put me off a little...

Never mind, at the moment there's a very tiny and badly written, but functioning version of my status updater minibook. The source can be found at the minibook github repo. Does not do much, log you in, able to send status updates. It is badly written because it's basically a gtk.Entry example, modified. So any comment is appreciated, but don't think it will stay like this for long. If you feel like you can even fork it and help making it better... At the moment it works under Linux, but haven't tried under Windows. Will try that next time I get around to boot into Windows ;) .

In the end I got my twitteresk status updates, from my own app, but only with jumping hoops and not really being able to share the results with many people. Just following the usual motto: "Why do you do it? Because I can."