Since not all mp3 players support Basic/Digest authentication, we'll need to come up with another alternative.
Restrictions: * Basic/Digest Auth is out since it needs client support.
Options: 1. Pass credentials in the URL.
- Username can be passed in the clear
- Password should not be passed in the clear (MD5 hash, etc.)
- Should credentials include an "expiration date" after which the URL will no longer function?
- If not, we risk our M3U files becoming vehicles for piracy (once you get one URL, you can guess most of the collection URLs)
- Problem: M3U lists will expire
- Solution: Allow "renewal" of M3U via http auth if player supports it.
- Don't use user's password, but instead, create a meaningless "ticket" attached to the username that expires after a day. The ticket should be unique to the user and track so that it can't be used for any track. That is, the only way to create a ticket is through the djedna webapp as a logged in user.
- Maybe with this solution we don't have to "expire" M3Us.
- MD5 hash created from username, password, track slug
- Or, pass username and MD5 hash created from password and track slug.
- Maybe with this solution we don't have to "expire" M3Us.
- Here's a code-snippit for allowing djedna (via mod_python) to only do the authentication and then allow apache to actually serve the file. Note, we shouldn't use the cookie-based version that's in the snippet (soley, it can be one option) because the mp3 player will either not support cookies or have its own cookie (different from the browser cookie). However, if we can do this, we can pull info off the URL and validate it in mod_python.
