I've just finished writing a custom PHP implementation of TypeKey. I realise that this has been done before (e.g. Solar_Auth_TypeKey) - it just seemed to be the best way to learn how it all worked.
My final problems came as the result of two errors in the explanation of the 'sig' field in both versions of the TypeKey API manual on the sixapart website.
One error is just confusing, the other is catastrophic. Obviously many developers must have already spotted and corrected the errors (presumably by reading the source code to find what the API *really* is), because I have found implementations on the web which work correctly.
Here's what the manuals say:
The DSA signature of the string formed by concatenating the following values, separated by double-colons:
<site-token> is the parameter <t> that was passed to TypeKey. To give an example, if I was ``Napoleon Bonaparte'' <firstname.lastname@example.org> with a login name of 'napster', and I logged in from an app with TypeKey token hql3XGNq1fB1cSjlCZ3i at 2001-09-08 19:00:00 (or 1000000800 seconds from the epoch), sig would be the signature for this string:
The confusing error is in the example, which is in the form:-
<email>::<nick>::<name>::<ts>::<site-token>, rather than <email>::<name>::<nick>::<ts>::<site-token> as it should be.
The catastrophic error is that the signature is actually of the form:
ie without the <site-token> on the end!
Thus the example should read:
(Should Napoleon be spelt correctly?!)
Obviously the manuals should be corrected ASAP. Hopefully someone here knows how to get that to happen, or knows who I should be telling... Or can really surprise me by explaining why these aren't actually errors! :-)