DISQUS

MacroLinz: Get it while it’s hot: Evernote Web Quickstart for C#

  • Daniel Marashlian · 11 months ago
    Lindsay,

    Hi, this is Daniel, the CTO over at Pelotonics. We did the first integration with Evernote and their API. Though I was wondering if you ever figure out how to "kill" the active Evernote session before the OAuth page is called, so it forces the user to login every time. This way, if you're authenticating for multiple people in a row, you can force a login every time so you're not compromising the security of someone's account. Otherwise the users session is saved in the browser (even if you're just logged onto www.evernote.com).

    Let me know if you've ever come across this.

    Thanks!
    Daniel
  • BlueCockatoo · 11 months ago
    Thanks for stopping by, Daniel!

    I've been thinking about your problem and going through scenarios but I haven't been able to figure out how to prevent users who haven't gone through the authorization process with Evernote previously from inadvertently authorizing your application for the last person who logged in to Evernote.

    I'm pretty sure there's not a way to log the user out of Evernote, at least not through the API they provide. Browsers have security measures to prevent cross-site scripting and access to another domain's cookies (which keep users logged into Evernote) would compromise that. Perhaps there's a way around it that I'm not aware of but if there is it would probably be opening a lot of security holes.

    I can see a way to figure out whether the user logged in to your application is the user who last logged into Evernote on that machine (using the UserStore.getUser method) but it would require you to keep track of the last user who logged into Evernote on that computer in your own cookie, and it wouldn't let you know if any user was currently logged into Evernote or not.

    The only option I can think of is, since you guys have a good relationship with the Evernote developers, to ask them if they would add the ability to the API to either 1) log the user out or 2) provide a method to test if there is user currently logged in on that machine. They might not want to do this for similar security reasons as browsers prevent it... it gives 3rd party developers a lot of control over a user's account.

    Sorry for not being more helpful. I think you have found a flaw in general with OAuth authorization. Though OAuth proponents would probably say it's not intended for things like public shared terminals. It's not a use-case that I've had to think of before.

    If I have any revelations I'll let you know!
  • Adriana · 11 months ago
    I am new to Evernote and excited about getting started : )
  • stevecooperorg · 5 months ago
    Thanks for this. This is a great starting point, and it's a really valuable contribution. I'm just starting out with both Evernote and its API, and this solution is very much appreciated.